It scares a lot of people in MOD, Intelligence and Government when reading headlines like; “Researchers catch Yemeni hackers spying on Middle East military phones” (1) –– but for the wrong reasons!

People start contacting the security departments and asks them if the “military grade” secure phones they have are compromised. I can tell you – they most likely are not – BUT that’s not the real security problem at hand here!

Regarding the Yemeni hackers in the article - The headline should say “phones belonging to military staff” not "military phones", which is misleading. To spell it out - the hacked phones were "normal" Android phones belonging to military staff and not military grade secure phones.

Me (2) personally and others at KoolSpan (3) have been talking about the risks in conjunction to private completely unsecure phones with MOD’s, intelligence organisations and governments for a long time now - the risk of staff having a “brick”, a military grade secure phone (not a smartphone / not able to be used as a smartphone), that “forces” them to have another private phone that is completely unsafe. The private phones are the ones most likely targeted by foreign agencies and groups sponsored by foreign agencies – all according to the principle of low hanging fruit / go for the easier target if it achieves your objectives.

I have met many generals, senior intelligence organisation representatives, very senior representatives from governments and all of them have a "military grade secure phone". Nothing wrong with that on its own but ALL of them also had a completely unsafe private phone on them, pretty much always.

Why is this a problem? Separation of duty should be a good thing, yes? Use the private phone for private things and the secure phone for government business – problem solved, yes? No! Far from.. because this is not how foreign intelligence agencies operates and achieve its goals and objectives if you are targeted as a person of interest to them.

To “hack” a military grade secure device and communication platform is very hard and time consuming, even for states and state sponsored groups. It’s not impossible but the point here is that they don’t have to resort to this when they can achieve desired intelligence objectives far easier, less resource demanding and faster.

Example of objectives possible to achieve with spyware on a private phone:

Geolocation – person of interest – remote location - drone – BOOM. This would be the worst-case scenario but also something very much so achievable if the geolocation is compromised. Many other things such as moving patterns and so on is security risks if the geolocation is compromised for a person of interest.

Microphone / speaker interception - listen to everything you say including when you talk on your secure phone.

Contact list interception - mapping of all your private friends, relatives and contacts, whom in turn can be targeted as leverage and / or spyware planted on devices belonging to them as well. PS – if you are in MOD or Intelligence the chance that you also hang out with people in the same field privately is very likely.

Messages, mail etc interception – mapping of you as a private person (to possibly be used as leverage from things such as sexual preferences, cheating, drug use etc)

And so much more...

Finally, allow me to give you some practical advice. Make sure that you look at the whole picture when defining demands / use cases for your secure communication needs. I’m sure you already cover things such as secure and private internal communication requirements but don’t forget to cover the following areas as well:

• External communication needs, provide a secure solution
• Private communication needs, provide a secure solution
• Usability as important for security and privacy
• Privacy and security for both private and internal needs
• A security policy that people can and will follow

Stay safe,

Henrik Kindstedt

Don’t hesitate to contact us at KoolSpan for a discussion about secure communication and privacy for your or your clients’ organisations.

Book a meeting with Henrik Kindstedt (the author of this article) via the link below:

Book a Meeting

1. https://cyberscoop.com/researchers-catch-yemeni-hackers-spying-on-middle-east-military-phones/
2. The author of this post is Henrik Kindstedt, VP Sales and Marketing at KoolSpan
3. KoolSpan provides secure communication solutions for the most security and privacy demanding organisations in the world.