While the recent 60 Minutes story talking about how easy it is for hackers to listen in on your conversations, track your movements, and read your text messages, has reignited people's concerns about privacy, for the average person, the exploit used to listen to Congressman Ted Lieu's conversation (the Signaling System No. 7 (SS7) cell phone network hack) is really a minor concern. Unless you are someone in a position of power or influence, this direct hack on your personal conversations would not be worth the time or effort it would take to launch.
What this exploit does do, however, is highlight the need, once again, for companies to revisit cell phone security best practices. Given that smartphones are now defacto corporate network endpoints – regardless of whether they are sanctioned by IT or not – it is a good idea to help the rank and file of your organization protect the sanctity of their devices.
There is a treasure trove of data and network access to be gained by going after almost any employee's device. Combined with pervasive and liberal bring-your-own-device (BYOD) policies, suddenly smart phone security takes on a new urgency. So, while there isn't much you can do about the SS7 vulnerability (which has been known about since 2014 – but that's another story), there is still plenty you can do to protect your network edge:
For secure texting use encrypted messaging services like Apple’s iMessage or Facebook’s WhatsApp. Some of these services like WhatsApp will also allow voice calls. Skype also works to avoid SS7. Check out commercial and open source voice encryption solutions like Silent Circle and the Signal app respectively.
Make sure IT installs a mobile device management (MDM) platform so they can, among other things, track whose device is in use on the corporate network, as well as make sure the device is in compliance with corporate usage policies. It's also a good idea to make sure employees are using anti-virus on their Android phones.
Keep instructing your employees on the basics such as: avoiding suspicious third-party applications, clicking on unsolicited links in text messages, locking their phones when not in use, avoiding public and hotel Wi-Fi (If you must log in to public Wi-Fi use a VPN service when traveling), etc.
"You could walk through a crowded coffee shop or airport lounge and pick up half a dozen smartphones that don't have a screen lock, or are not encrypted and have access to their corporate data, email apps and [virtual private network] clients," said Doug Grosfield, president and CEO of Five Nines IT Solutions, speaking to TechTarget. "Many people are still failing to protect their devices by leaving the door wide open."
It's also good practice to let key people know that they may be targeted, in a practice called "whaling", for ongoing phishing scams because of their position in the company.
There is good news, however. While common, mobile phone hacking is not nearly as prevalent as the headlines may suggest. According Verizon's 2016 Data Breach Investigations Report, while "new" technologies like mobile and the Internet of Things (IoT) will undoubtedly give hackers new attack vectors there has not been "a significant volume of incidents involving mobile or IoT devices yet." But, the report does caution that "the threat is certainly real. Proof of concept exploits have been demonstrated and it’s only a matter of time before we see a large scale breach."
Read more about the do's and don'ts of mobile security