GCHQ warns mobile phones are insecure
GCHQ’s defensive branch CESG has put out a new guide on Safe Use of Mobile Devices and the Internet. It’s targeted at “senior officials”, but the advice given is good for everyone.
Here’s the best line in the document:
Voice calls are not secure and can be intercepted. This is especially the case when overseas.
GCHQ here is trying to throw us off the scent by suggesting that domestic UK calls are less likely to be intercepted than abroad. In reality, the Snowden documents showed that GCHQ is intercepting all voice calls in the UK.
CESG notably doesn’t mention secure calling apps at all, even while it recommends the use of burner phones to make personal calls while abroad. It only advises the use of “secure communications” for “Overseas Missions” and even then only for sensitive government data.
It sounds like GCHQ is stuck in the 20th Century mindset where government officials get secure calls but the general public doesn’t.
The advice also admits that it’s possible to use a phone as a bug even when switched off, which has long been speculated to be possible via old vulnerabilities in legacy baseband devices. Such an attack requires the battery to still be in the device for the CPU to function, but an alternative attack may be a traditional signals intelligence method to light up the microphone with a remote power source.
The article doesn’t forbid taking phones into sensitive discussions, but only asks officials to “consider” it. I suppose CESG doesn’t think it’s realistic for officials to leave their phones outside of discussion rooms given how inconvenient this is, and leaving phones unattended is its own security risk.
Later, it advises to install software only from the official App Store to avoid malware. This is good advice, but the guide could go further in advising against downloading apps that harm the user’s privacy. However, that’s often difficult for a non-technical person to judge.
I’m mostly surprised that an app installation warning appears at all in a discussion largely about official phones which under other government guidelines would have the ability to install apps locked out anyaway.
Generally, however, the article is good advice for all citizens, who should be aware that that phones today are not a secure method of communication.