The Off Switch and Security

The March 14-20 issue of Bloomberg Businessweek has a section focusing on security issues, and a feature story on the same general theme. Overall, the articles made me much more likely to use the light switch tucked away on my smartphone -- the ability to switch into airplane mode and leave the network.

Moving most of our communications infrastructure online and making it digital has created an arms race on the security front, with hackers and malicious actors finding ways into systems around the world. Late last year, hackers knocked out power in Ukraine to about 80,000 residents for several hours. The outage might have lasted longer, but because the system is antiquated, authorities were able to reset the system by clicking circuit breakers back into place by hand.

This insight, generated by happenstance, has been occurring to security experts by design, as well -- that analog security safeguards should be a part of systems. The nuclear industry has learned this, building in analog failsafes (the rods that lower into the core if there is a general system failure, cooling it down). As one expert says:

You can't lie to analog equipment. You can't tell a valve that it's opened when it's closed. It's physics.

Adding analog failsafes represents an approach being called "defense in depth." Another expert explains the digital vulnerability and the need for these analog solutions:

Defense in depth means you have layers of protection. But digital, even when it claims to have multiple layers, is in a sense one layer. Penetrate that, and you could potentially no longer have another layer you need to penetrate.

You can see this lack of true layers in the case where the FBI wants Apple to crack open an iPhone used by terrorists. There is only one passcode to overcome, and it would take four programmers 6-10 hours each to bypass it. After that, the phone would be wide open, as would all the other iPhones, Apple contends. This thin layer is all that is protecting iPhone privacy worldwide. John Oliver has a tremendous segment on these issues.

As more things become connected -- pacemakers, insulin pumps, automobiles, mass transit controls, airplane control systems, prison door locks, home locks/thermostats/systems -- this single layer of security is stretched thinner, and there are more ways into it.

This leads to another story about the vulnerabilities in mobile payment systems, which have vulnerabilities of their own. One major issue is the existence of under-capitalized start-ups in the space, which leads me to one of my favorite quotes:

There's a lot of two engineers and a goat.

Some start-ups have been caught sending social security numbers in the open, and have been fined for it. The Federal Trade Commission is looking closely at these vendors and regulating them more strictly.

A third article focuses on yet another non-digital solution to dealing with security breaches -- human motivation. A cybersecurity startup called SquirrelWerkz is convinced that a good portion of security problems can be traced to competitors or rivals, and are not random. By performing real-world investigations on top of digital sleuthing, they claim to be able to put up defenses against the most likely sources of malfeasance, which is more effective than trying to keep the world at bay.

But the article that has me thinking of using airplane mode more often is called, "The Democratization of Surveillance." The article explores the world of the International Mobile Subscriber Identity (IMSI) catcher, a device (also known as a Stingray or Hailstorm) that fools your cell phone into thinking it's a cell tower, then uses that connection to grab information, monitor calls, and so forth. Your phone has no idea it's being fooled, and behaves normally.

IMSI catchers are falling in price, and their appeal within law enforcement makes it difficult for lawmakers and courts to decide how to handle the devices. In India, huge scandals have occurred in which politicians and lawmakers and celebrities were monitored for weeks on end, their call logs revealing sexual dalliances, dealmaking, and other nefarious behaviors. It's comparable to the Murdoch scandals of hacked voicemails, but much more pernicious as it's more easily done and there are fewer clear legal or technology protections.

In a small number of states in the US, police are no longer allowed to use Stingray-like devices without getting an explicit warrant. But the laws are not uniform. As the reporter at Businessweek writes:

Most local police departments, though, still aren't bound by [a Justice Department directive requiring explicit language in a warrant]. Neither are foreign governments, which are widely suspected of using IMSI catchers here (as we are no doubt doing elsewhere).

Now that prices have fallen to the $1,500 range for these devices, concerns are that they will soon drop so far that consumers will have routine, retail access to them. There's even speculation that your phone could download an app that would turn it into an IMSI catcher, so you could monitor your neighbors, kids, and spouse.

Of course, there's an emerging countermeasures industry, but this is again just another arms race, with shorter times to the next step as technology and skills both become more widespread.

In this environment, it's good to remember that your smartphone has a couple of analog options -- airplane mode and off. These may be the best security measures you can take, especially if traveling abroad.