123 comments

[ 2.8 ms ] story [ 211 ms ] thread
That is sound advice. Also, when smartphones are gone, it's like magic and people pay attention to the speaker again :)

I would add one hint, which is to also NOT have internet-connected Smart TV's in your meeting rooms.

They might be streaming whatever you say for "diagnostics" or to "improve customer service" or just to shove more ads into your face the next time you turn it on.

"Samsung's small print says that its Smart TV's voice recognition system will not only capture your private conversations, but also pass them onto third parties."

https://www.cnet.com/news/samsungs-warning-our-smart-tvs-rec...

Interesting. Unclear if this is because of a known exploit, or because they know they lack sufficient relevant skills to estimate the likelihood of an exploit, or if they do have the skills to know an exploit is likely even if the specifics are not.
I've always heard that nation state actors will get access to your devices if they want to, and there's basically nothing any individual user or company can do about it. Using known or unknown exploits, the assumption is that if they want to get in, they will.
One nation state in particular seems to be very paranoid about a different nation state's new 5G boxes. Afraid of suffering new exploits or of losing access to old ones? ¿Por que no...

Desh tu kowltim. Na im pash, na pash im. ("Always two there are; no more, no less.")

What language is that?
Ciao, Leonardo! It's the Expanse TV conlang, lang belta. Sorry, I've been so enthusiastic about its expressivity I completely forgot to telegraph.
Thanks. Sounds like it’s like learning Klingon, for a new generation. :)
> there's basically nothing any individual user or company can do about it

There should be.

Why are sensors always connected to the machine? They should be physically disabled when not in use. We need physical kill switches for the hardware. It's pointless to obtain access to sensors that don't actually work.

We also need a way to impose complete electronic silence. The phone should not emit anything unless the user wills it. This gets rid of unwanted radiofrequency emissions that can be used to communicate with and track the phone, as well as stuff like ultrasonic tracking beacons.

Have you not been paying attention to the Snowden leaks? That was years ago, and proven a fact at the hardware level even before the leaks.
It's because of a multitude of known exploits over the years and the reality that people may carry personal phones that have not received security updates in months/years and may come from suppliers that cannot necessarily be trusted to do a good job of updating to begin with.

I'd say the actual reason for this announcement may have been some undisclosed incidents where this actually happened or has been suspected to have happened. We'll never know. But with people having an active microphone permanently on in their pocket, there's very little need for getting people to break into buildings and install some microphones (a plot point in most spy movies in the last century or so).

How are smartphones and tablets different from laptops and regular phones in this regard? Shouldn't the advise be to meet without microphones of any kind, if you're really that paranoid? And of course, I would expect that online conferences are right out - especially useful advice in the times of Covid19.

Unless this is advice for state-level institutions discussing state secrets, this seems like completely useless advice, the kind that gives security people a bad name. It is both too paranoid for regular businesses, and provides too little protection if you truly are being targeted for espionage. Especially in a time where most meetings are happening online.

I generally agree with you, but one argument might be that corporate laptops can have strict security policies enforced, but people generally bring their unmanaged personal/private smartphones with them into meeting rooms.
My managed corporate smartphone is not significantly more secure than my personal one.
You are probably not who they are worried about. My work phone has a corporate curated app store, corporate imessage server, and always on monitoring software. My private phone is full of sideloaded apks and runs as root.
Depends on your field, I guess. Been working for investment banks in front office engineering roles and the only more paranoid organisations I had experience with were exchanges (FX).

Even as a power user you will never get admin rights on your machine, neither will you be permitted to download anything lest install it.

Makes it a bit hard to work though doesn’t it?
Phones have a GPS chip and an internet connection that can bypass the corporate network. They are a slightly worse threat than a standard laptop.

At least a laptop there is a chance of corporate IT noticing unusual network traffic.

Last century we had low bitrate codecs for full bandwidth speech over dialup modems. I think that little traffic would be shapeable.

Bonus clip: https://www.youtube.com/watch?v=8CRA_yE4D-s&t=35

====

Wow Setara, fit 5. Da Komante Da Bik Im Du Xite Efa.

(most Expanse asteroid belters prefer dubs to subs)

Leya: Setashang Lando?

Solo: Lando na setashang, im mang.

...

Leya: To tenye timting mali to. Wamali, ye to tenye imalowda.

The best ThinkPads - which are used in many corporations - use Intel's vPro technology. Intel is offering those corporations to "remotely wipe the hard disk - even if laptop is turned off and not connected to the internet - in case the laptop is stolen". This technology requires presence of WLAN and SIM card. So it bypasses the corporate IT completely...
This comparison is absurd.

A minority of laptops are thinkpads, a fraction of those have SIM cards, and, finally, attacking that subsystem requires serious skills and the benefits are dubious.

Compare that with android/ios phones, which 99% of people have, and have a large underground market of backdoors that anybody can buy and install. Not to mention all the spyware that users and OEM install.

It's the difference between finding an expliot for gmail vs finding one for a small discord server. Your attack on gmail has a bigger universe of targets if successful.
Yes, and that's why NSA successfully intercepted google's fiber optic cables and so on.
Uh, discord is a centralized service. You find an exploit for a "small discord server" you can probably use it on all servers.
The concern is not literally who owns the network, but whether or not the organization can effectively manage the traffic. There are secure ways to manage that setup, as opposed to, a personal phone where the organization has zero control.
This is not equivalent, though.

Here are some questions I don't have the answer to, but would be relevant:

- Are these SIMs always active?

- Do they communicate broadly with the internet, or just specific servers?

- If they communicate with specific servers, where does an attacker have to be exploit these communications?

- Does this technology allow for the arbitrary execution of code, or can it only wipe the hard drive?

There are probably more contraints here, but the basic point I'm driving at is that the challenge here is not equivalent to the challenge of exploiting an old android or iOS device. Is there some risk, yes, but it really doesn't seem to be the same amount of risk.

I'm thinking about that "OK Google" feature that's probably designed to be listening 100% of the time.
That's present on many Windows laptops now too, isn't it?
The other thing is that executives commonly carry a corporate and a personal device for various reasons.
I agree about the 3rd party internet connection.

I disagree about the GPS chip. GPS chips are receivers only. You cannot track someone through GPS unless you bug their device and make it send location through another channel. Yeah, that 3rd party internet connection :)

Also, GPS only works outdoors. Not in a corporate boardroom.

Mobile phones use GPS, to be sure, but they also discern location by WiFi radio locations. If your phone is connected to BigCorpWiFi, then we know where you are. Even if you are in the BigCorp building connected to BigCorpWiFi with SmallCorpWiFi from next door detectable, we know which side of the building of BigCorp you are located. If you're on the street corner and your phone can see the WiFi networks of WiFi-1, WiFi-2, WiFi-3, we now know which street corner you are on without accessing the GPS chip. If the WiFi-2 signal is stronger, we know which side of the street you are on.

Forget WiFi. Walking down a street with lots of retail shops while Bluetooth is enabled receives pings from all sorts of trackers/beacons. We know where you are.

TL;DR: If you think location data is only discernible by using GPS, you are incorrect.

The difference is that a smartphone or tablet is an always on device and are also usually personal devices. In addition they are carried round in pockets or bags.

Taking over a mobile device remotely and activating the camera and microphone is a real thing (citations available but https://www.wired.com/story/whatsapp-hack-phone-call-voip-bu... from 2019 provides a solid 'is possible to do' example).

I have worked in more than a few sites where all cell-phones needed to be placed in to faraday cage lockers located outside the highly secure areas prior to entering but laptops were ok to take in and use (subject to high contrast stickers over cameras, dummy jacks placed in mic sockets and wi-fi switched off).

Given that these were a mixture of national infrastructure, military and embassy type sites and was a thing ten+ years ago I think the various governments are well aware of their own abilities and assume that the opposition have equal capabilities.

I take your point regarding “Unless this is advice for state-level institutions discussing state secrets” but knowledge leaks and filters down in to the corporate world. Those same C-Suits that have to attend meetings discussing restricted information projects go away thinking – Huh, I wonder if it could be done to us by a competitor.

When you consider the difficulties of verifying the supply chain of a random mobile device (from the chipset through to all installed apps) it leaves so many security holes that it is best to assume that anything a nation state can do so can a well skilled hacker (or group).

> I think the various governments are well aware of their own abilities and assume that the opposition have equal capabilities.

Exactly. From most people, "smartphones are spying on us" sounds a little tinfoil hat. Coming from the Director of Military Intelligence, however, gives the message some credence.

Which still needs to be read with nuance though: militaries and governments are worried about targeted, specific efforts directed at specific individuals, and the general difficulty of securing random electronic devices which exist outside of high-security environments sometimes (close to impossible).

This is probably a reasonable threat for executives to worry about, but it's still ultimately an expression of "we're concerned about a threat where breaking into a home and bugging the device or swapping it with a compromised one is a real concern".

(comment deleted)
Execs are definitely subjected to targeted attacks on a regular basis, but they don’t need to be exploits on physical devices to be effective. For a high profile example: see the Bezos hack. There’s enough money in this space that zero-days are within budget.
Considering the lengths to which people go to get an edge on the stock market (like using satellite feeds to observe parking lots, factories and tracking executives), I think the concern should be real for executives of large multinationals. On top of that, industrial espionage is a thing.
I mean absolutely. What I'm cautioning against is reading too much into the overall security posture of mass market devices (or intelligence agency intercept capabilities) from this advice.

This is closer to "if you can pay a team to go and find a way into that specific person there" then they're going to succeed.

But you're already close to "infiltrate the window washing company, and stick solar powered listening bugs to every window on the upper floor suites".

Fun Fact. I've been in to places where it was an almost impossible feat to achieve without substantial background clearance checks. Chatting to the cleaners around the coffee machine during down times showed a shocking disparity between the checks run on 'obvious people' vs. the 'invisible people'. (My personal viewpoint on life is that we are all just people doing equally important jobs, i.e. Cogs in the Machine, regardless of pay rates).

Pen-Testers use the 'cloned cleaners' pass' thing all the time and it works surprisingly well.

We were told by our IT department that its now SOP by both nation states and hacker groups to target all executives of MNCs. Even those in "visible" technical roles are targeted as a standard matter of procedure.
True, but somewhat irrelevant to most people. There are so many lower-hanging and juicier fruit than recording audio from your phone that I just don't understand why this would be a relevant case.

Most people have their email, personal photos, medical records, financial records, chats etc. on their phones. If you believe your phone is likely compromised, you should first move all of those off your phone before being concerned about realtime audio recording.

I'm debating about whether or not to post this but if it makes it this far then I opted to do so.

A year or so back I stayed over with some extended family, one of which was 'In to IT and earns a living from it. During that time (using the I.T guy's network) I noticed that one of my phones was eating through the battery at a crazy-stupid-mad rate. A quick check showed that this particular phone had begun uploading a metric shit-ton of data on an otherwise normally asymetric data profile (in other words Data Uploaded vs Data Downloaded Ratio).

A check with the 'family IT guy' confirmed that he had Remoted In to a high value clients' system to trouble shoot something at around the same time that one of my phones began to furiously upload any and every thing on its' memory card.

Sounds like one of those "Cool Story Bro" types stories right?

All I will say is that because one of my 'Low Hanging Fruit' thangs got p0wned I was able to alert the $corp of the problem (since the probe originated on their end not mine).

As with all things in Life, YMMV.

They wonder sure. But tells us also what happens after you give them a budget of what its going to cost the org.
This is very sound advice for anyone who wants to feel more secure about their surroundings and mobile devices.

People underestimate the spying potentially of mobile phones very often. They are always on, have a data connection, and run software that is abysmal for security.

I would bet that at least an iPhone is much safer than a regular company laptop in 90% of companies. It is quite likely safer than the internal network. Security is often a second rate citizen in most companies.

Also, strict security practices that affect productivity often get worked around - for example, if I want to examine a diagnostics archive I got by mail on my phone, but the IT policy won't let me, I may well forward it to my personal mail, open that though Firefox, and get the archive this way. It's much worse for overall security, but pretty hard to prevent, and less important to me when I get a call about blocked builds at 10 o'clock.

I absolutely believe that such attacks are possible - no doubt about that.

But most corporate networks likely have much more likely vulnerabilities that are worth much more thought than this, in my opinion. If your phone has been taken over to the extent that an audio/video stream can be recorded without your permission, I would bet also that much more valuable information than that audio/video stream can usually be obtained as well, for most people who are not used to high security.

"...if you're really that paranoid?"

No, you can not call me a paranoid anymore. Before Snowden you could call me like that. But today, it is not secret anymore...

Oh, you can be paranoid, even though they are after you ..
Snowden just told us to re-read EU's report on ECHELON or to just check what the Patriot act authorized.
What Snowden has shown us is that we shouldn't have phones or other internet-connected devices at all if we deeply care about privacy and security.

However, if, as most companies, you have already chosen to move the vast majority of internal communications, records and documentation in the cloud, it makes little sense to then be afraid that they'll listen to your meetings through your phone.

I think his point is that everyone underestimates the chance they’ll be targeted.
> too paranoid

It's a known risk from the Snowden leaks. So it's not fair to characterize it as paranoia.

It's a known risk from the Snowden leaks for any internet - connected device.
> How are smartphones and tablets different from laptops and regular phones in this regard?

At least when it comes to smartphones, there is the baseband circuitry that tends to run completely independently of the OS:

* https://techcrunch.com/2019/11/08/android-baseband-flaws/

* https://threatpost.com/baseband-zero-day-exposes-millions-of...

Some people do worry about the Intel Management Engine having similar issues:

* https://en.wikipedia.org/wiki/Intel_Management_Engine#Securi...

> How are smartphones and tablets different from laptops and regular phones in this regard?

They are more likely to be attacked because they are better targets. They are more often carried around, have GPS and more cameras.

They are MUCH more difficult to manage centrally (e.g. company-managed antivirus/vpn/firewall, locked-down software installation, secure boot...), or inspect or modify.

They are more often used to all sort of untrusted networks (cafe', airport, hotel...)

Personal phones often have tons of untrusted apps with access to microphones.

> Unless this is advice for state-level institutions discussing state secrets, this seems like completely useless advice

citation needed, especially after Snowden revelations

If you take the Snowden revelations seriously enough to worry about snooping on your board meetings, you should take them seriously enough to drastically reduce online communication and record keeping - as I'm sure stae-level institutions do.

If you're a company whose financial reports, email and documents all reside in the cloud, having your boardroom meetings snooped on through your phone is the last of your worries.

Most people have out of date android, and the ecosystem for malware is much larger there than on an old Nokia dumbphone.
> How are smartphones and tablets different from laptops and regular phones in this regard?

Tech aside, one scenario: C level exec parent - or any parent - hands phone or tablet to child in backseat as a pacifier. That's much less likely with reg phone or laptop.

Also, the fact that he didn't specifically mention laptops might simply be an oversight. That is, pretty much everyone will bring their phones or tablets. An exec with a laptop? In a meeting? Probably a rarity.

> How are smartphones and tablets different from laptops and regular phones in this regard?

Smartphone location tracking data is extremely high-dimensional and sensitive. It is capable of revealing a lot of things which you might not even want to tell to your family. I think for a company such as Google, getting a list of CEOS in e.g. The Netherlands which visit psychotherapists, or occasionally spend the night at the home of their secretary when their wife is on business travel, is little more than an elaborate database query.

What does this have to do with bringing smartphones to boardroom meetings?
If they can hack your phone presumably they could just hack the thousand cloud services you use or the cloud they run on anyway. Seems a minor additional concern.
If a phone with a camera and microphone is a minor concern, what counts as a major concern?
I said minor additional concern.

Listening to conversations seems minor if you already have access to documents, which seems easier to hack than phones.

Listening in on a board meeting is ofcourse much more interesting than reading the meating notes since the interesting parts will be off record.
> presumably they could just hack the thousand cloud services

Well they don't need to hack them. From the Snowden leaks the government has a program called "PRISM". Where companies such as google and amazon just hand over everything from their servers to to government.

> If they can hack your phone

Not quite. With your phone there is nothing to hack as it is "pre-hacked" fresh out of the factory. You're opting in to use an always-on remote listening device.

I think this article is more in the context of non-allied nations conducting industrial espionage against you, so PRISM isn't relevant here.

Either that or you were under the impression that the Dutch security services are giving tips for how to protect yourselves from themselves!

This is defeatism. There are widely differing attack footprints between BYOD, cloud services, managed devices, etc. Susan from accounting won't accidentally install spyware on EC2.
More than that. For some low-resolution info, they can also hack one of the services that back one of countless of adtech SDKs that most apps ship bundled with.
(comment deleted)
Not sure if I should feel lucky or depressed that no one outside my team will ever care about our meetings enough to spy on us...
Once you leak information, you are no longer in control of it. You don't know who will see it, when they will see it or what they care about.
leak information = exist
This is actually fairly unremarkable for some levels of security. Someone I know who works for a defense sub-contractor, they can't bring phones in their classified labs.
I have been to interviews where it was leave your phone at reception and that was for a avowed job
Just a reminder, we've known this since Snowden in (?) 2013. The NSA actively engage in industrial and diplomatic espionage. If you are making innovative products with a is competitor or negotiating M&A with a US company or doing anything in a government capacity outside the USA, beware.
It's a concern anywhere and everywhere. The US is far from the only country or organization that spies on others. Other nations do it, criminal organizations do it, etc.

And spying isn’t even the most likely source of information leaks. More likely is that you have an insider threat or someone who unintentionally leaks information.

Size matters though, I don't think the NSA is going to go after you SaaS because some small company in the US is a competitor.

When you're at the level that it becomes a concern, you should be paranoid in any case, not just because you might get targeted, but because industrial espionage doesn't require the NSA. When serious money is involved, every competitor can hire a bunch of guys who are, for all intents and purposes, in the same league. They may not have the latest & greatest 0day, but the NSA isn't going to burn that on most industrial espionage cases either (especially not in Western countries, where they can just talk to their intelligence counterparts and expect cooperation).

Sure! this is only about strategic players. For Dutch I know Shell, NXP, ASML, Airbus. But also their whole finance, accounting and telecommunication sector, and generally all big industrial companies.

I think this should be a normal advice in any country. Countries spying on each other isn't new and smartphones and tablets are just an easy door to open.

Usually when guidelines come out like that, it is in response to a specific incident. Anyone knows what triggered this?
Seriously? You haven't heard of Edward Snowden leaks?
You are suggesting the Dutch intelligence service has been thinking about this guideline for 7 years before releasing it?
That's a question for Dutch intelligence.
I can get behind this for another reason too: distractions.

A meeting is a vehicle for unifying all the minds in the room and disseminating information. Phones, tablets, laptops are all distractions. There is nothing worse to me than sitting in a meeting while all my peers peck away at their own stuff and only offer 10% of their attention span.

Any meeting where somebody looks at their phone shouldn't involve that person.
Note that the actual quote from the intelligence officer is quite a bit more nuanced (directly translated from the current version of the original article):

"I don't think any board of directors of a large organization should be meeting on business secrets with a smartphone or iPad on the table," says [the officer].

(The original: "Ik denk dat geen raad van bestuur van een grote organisatie meer moet vergaderen over bedrijfsgeheimen met de smartphone of iPad op tafel", aldus Swillens.)

Interesting how in Dutch it uses assertive "I think that no council of directors of a large organization more(?) must gather over [whatever this word means] with the smartphone or iPad on table", instead of negative "I don't think..." in English.
bedrijfsgeheimen are trade secrets
Technically it's "none"

You can also say "Ik denk niet dat...". But using "geen" adds emphasis

If he is referring to people at the table illicitly recording the conversation then fair enough. This is a concern, and it's a big emerging concern.

Else, no. It's just a bureaucrat speaking mumbo jumbo security theatre.

GPS, I might believe. Analysing networks is an interesting area. And GPS I could see leaking.

MIVD stands for (translated): Dutch Military Intelligence and Security Service. He's giving an advice to big organizations. To just dismiss this as "bureaucrat speaking mumbo jumbo security theatre" is short sighted, IMO.
The difference between Dutch Military Intelligence and Security Service and you? Nothing.

People in Intelligence are as smart and more importantly dumb! as the general population.

One difference is they can't smoke pot (Unsure about the Dutch)

Their only 'power' that makes them seem better than mediocre is they can do things that would be considered illegal for a normal person without fear. IE force everyone to hand over tax records for analysis

This person has climbed the ranks. They 100% are a bureaucrat. I 100% stand by what I said.

(If you think they are leaking a Zero Day, no. Not on a crappy paywalled interview. And I'm not sure I've ever heard of a phone recording people by foreign intelligence or hackers)

Is there a way to set up a room to inhibit all the capabilities of an smartphone? Microphone, antenna, GPS, camera, signal, etc... Of course without endangering the present people.
Not without the cooperation of the phone itself, I don't think.
That's a faraday cage or a Sensitive Compartmented Information Facility (SCIF)

Or if your the Mafia "Johnny Pliars" collects your phone before you go into the backroom :-)

The faraday cage doesn't prevent exfiltration by just walking out the door with the recording on your phone.
That's what "Mr Pliers" is for or more likely the Red Cap with a Holstered Webley
Faraday cage design shielded rooms exist in many facilities for sensitive meetings, but unless you also remove all potential recording devices from the participants they would still be able to just record and transmit later.
I suspect a lot of these rules/recommendations are more around the fact that a phone can easily serve as both an audio and video recording device than that a hacker can gain control of someone's personal iPhone.

We've sort of normalized everyone having a camera on them most of the time and whipping it out to record a whiteboard after a meeting. But I can remember the days when bringing a camera into company facilities required a fair bit of security rigamarole. (I needed to shoot some pictures of old gear for a presentation.)

Why would somebody be that motivated to carry a phone somewhere, even if that phone is completely disabled and useless? Maybe there's a market for phone-shaped pieces of plastic for people who need something to caress at all times.
I would welcome a government mandated hard switch for the camera and microphones on every device that is made for the masses. Some costs will increase, but then again, it doesn't have to be that much more expensive. It'd be difficult to write the proper laws though.
iPhones have their physical, 2-position switch for silent mode so it's not like the parts aren't right there. The main cost would probably be increased tech support burden from people accidentally turning the switch off.
You can ckeck for a connection to the microphone or have the switch also connected to IO to put a mute symbol somewhere.

My laptop has a small plastic sheet to pull over the camera and I really like that solution for cameras. For microphones there need to by a breaker switch.

I bet it’s possible to listen to your conversations via the camera when closed. The vibrations will cause minor disturbance of the black picture which can be converted to audio.
"Sir, all we have is a black picture, the camera was blocked by a piece of plastic"

"Wait a minute, go back a bit. Just there, enhance! Now convert to audio waves"

Another crime solved by NCIS.

This has been in the wild for 6 years now https://fstoppers.com/video/scientists-can-recover-audio-sil...
Thank you. You ruined my day.

Luckily it seems to require a fast shooting camera?

Technical spying is quite interesting. Like how you can see the picture of a remote display by radio disturbances. Reality is like living in a crackpots nightmare.

They can use the rolling shutter in consumer cameras. The video has example audio recovered from a 60fps video taken by a consumer DSLR.
are you sure the iPhone's switch is physically disconnecting the microphone ? I am not. It is probably causing the software to mute the microphone, which means that an attacker can change this behavior without you noticing.
Gone are the days where you could trust "air gaps" to secure your machines...
Where do you leave your smartphone while in meetings? In a basket at the front door? What if someone takes your phone from the basket and compromises it?
I worked in high security settings. You leave your devices outside at the porter in a lockable cabinet. Or better don't take them with you at all. And you get a mandatory security briefing.

Mostly you can safely assume the meeting room or internal servers and routers are already tapped. So act accordingly.

I've recently put together an interesting idea that any transmitter could be a microphone. A sufficiently advanced eavesdropper could record the small variation in the frequency transmitted due to the movement of the transmitter.

I'm not sure if it's really possible, but sound has been reconstructed from video of the movement of leaves of plants or empty potato chip bags. Is it so strange that the signal from a transmitter might be carrying info you don't expect?

Sound is such a strange beast. The keys you press on a keyboard can be reconstructed from audio because of differences in the sound of each key. Cryptographic keys can be reconstructed from the sound of a processor decrypting specially computed messages. I even read a theory about a bios worm that can infect nearby air-gapped computers via sound waves.

Am I paranoid? Perhaps.

Are these things possible? Perhaps.