As the number of apps for smartphones continues to grow, perhaps your paranoia about such apps should be growing as well. In an unusual statement, the former director of the CIA has warned that the government isn’t sharing enough information about cyber security.
In an article at http://www.wired.com/threatlevel/2011/03/hayden-cyber/, retired four-star Gen. Michael Hayden is quoted as saying that over-classification is occurring due to bad habits that “are keeping the government from educating the public about the sorry state of cyber security”.
In particular, General Hayden remarks that “In the popular culture, the availability of 10,000 applications for my smart phone is viewed as an unalloyed good. It is not — since each represents a potential vulnerability. But if we want to shift the popular culture, we need a broader flow of information to corporations and individuals to educate them on the threat. To do that we need to recalibrate what is truly secret.”
Yes, each app that you install on your smartphone is a potential vulnerability. It is precisely for that reason you should be making decisions about what you installed based upon rational thought processes. There are some things that the reward is not great enough to warrant the amount of risk taken. For example, you might choose not to drive 120 MPH (193 KPH) because the cost of potentially getting killed or injured isn’t worth the benefit of arriving sooner, or perhaps even the benefit of the fun of driving so fast. If you do choose to drive that fast where it is not permitted, and you do get caught, you may discover that the consequences are so extreme you wish you hadn’t have taken the chance.
When it comes to installing software on your smartphone, take a good look at what you may be risking. Do you do online banking or shopping with your smartphone? Do you have business contacts? Contact for friends? How about access to an email account with private emails? All of the information may be compromised if the wrong app is installed. After you identify what assets you have and their value, then consider the app you are installing. What is the benefit it poses to you? Is it worth potentially risking your information for a funny picture or a game you might play a couple of times a year and can probably play online, rather than installing it on your smartphone?
The important thing to notice here is that General Hayden is telling you that each application is a potential vulnerability. This means that you should be prudent when installing applications on your smart phone. Do a serious risk/benefit analysis. Do you use your smart phone for online banking? If the answer is yes, then there is more risk. Do you use your smart phone to compose emails that are private and you do not want shared with anyone other than the intended recipient? If the answer is yes, then there is a significant degree of risk. Do you have business information on your smart phone? If yes, that adds a degree of risk.
Do you know anything about the developer of the app? Reputation is a valid part of the equation, but even reputable developers will make mistakes that can allow a hacker access to your device.
The lessons are something that the automotive industry has yet to learn. As automobile manufacturers add computerized systems to vehicles, it seems that they are not paying attention to the fact that hackers are going to attack these systems, so robust security has not yet become a known quantity in the automotive industry. This is the reason that even your car is a risk from hackers http://www.technologyreview.com/computing/35094/?nlid=4233.
Are you sure you want to install that smartphone app that tells you the state of charge on your car? You have a potentially vulnerable system on your car and now you compound vulnerability by adding another app to your phone. It would be one thing if the app could make the car charge faster, but if the information isn’t going to really make any difference, then perhaps you could do without the amusing app.
I’m not saying that you should not install any apps, but do keep in mind that each app is a potential vulnerability and ask yourself if the benefit the app provides is worth the added risk. Sometimes, even if the benefit is simply entertainment it is worth the risk. Quality of life has value and that is a legitimate part of the equation, but at least do the math!
Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America
