Inadequate Smartphone Security as Second-Hand Smoke

Your smartphone is you. It goes with you everywhere. It’s how you communicate; how you track your day; how you make travel plans; how you access online banking, social media, e-mail; it tracks your location, explicitly or not; it pervades all aspects of your life.

And it’s no more than a foot away, all the time.

Not only that, your smartphone is in proximity to lots and lots of other people — family, friends, colleagues, the person next to you on your commute, the friendly barista who serves you your daily coffee: everyone you meet and interact with.

And maybe it’s already been hacked. You clicked a link yesterday. It might have been accidental; it could have come from the one phishing attempt that got away, the one Gmail’s spam filters didn’t catch. Maybe you visited the page, got suspicious of the URL, and left. But the page had a browser exploit, and you unsuspectingly downloaded and executed malware.

How did it happen? There’s a new Android and iOS exploit in the wild, via the Wikileaks CIA leak, or there’s a vulnerability that’s been out there for long enough for the garden variety malware creator to do something about it.

And you haven’t updated your phone’s OS.

The vulnerability was fixed: in last week’s iOS 10.3 update; in last October’s Android Nougat release; in last year summer’s TizenOS security fixes.

Maybe it isn’t your fault. Your Android hardware manufacturer skinned the OS, and there’s a 6-month lag between a Google update and their update. Or you can’t afford to get a new phone, and it’s now considered obsolete, meaning: no updates.

However it happened, the malware is part of your life now. It’s feeding every little tap and interaction to a server sitting in a remote country. It could even be listening through the microphone, or capturing photos and video through your camera.

You’re the victim. Your privacy has been compromised. But you’re not the only one.

We work together. Every conversation I have with you is tainted. I send you an email, you read it, the hacker reads it. I communicate confidential information by text, you get a copy, the hacker gets a copy. And for the more paranoid: we have a meeting, you’re listening, so is the hacker.

The thing is I’ve kept my phone up-to-date. It’s malware free. I’m more cautious, or more technical, and know how to avoid drive-by downloads. I intentionally use a more secure browser. I do everything I can to avoid infection.

But because our lives intersect, the extent of my privacy is governed by yours. Whether intentionally or not, you’re smoking, and I’m breathing your second-hand smoke.

The more fraught the security landscape gets, the more exploitable the average phone becomes, the more people around you end up compromising your privacy.

What now?