Years ago, when spooks and government employees needed a secure smartphone, they turned to Research in Motion's BlackBerry. Times have changed, however. More and more government agencies are capitulating to the fact that their employees prefer Androids and iPhones. Even the National Security Agency (NSA) has adopted to changing times. Fast Company recently discovered that a copy of the NSA's security guidelines for iOS devices (PDF) is online and publicly available.
The unclassified NSA document, written by the Mitigations Group of the Information Assurance Directorate, is intended as a security recommendation manual for network administrators in the government and law enforcement sectors. Although most of it is written in a mixture of bureaucratese and dry technical manual styles, it provides valuable insight into iPhone and iPad spy capabilities and what the ubiquitous devices can do.
NSA employees are specifically worried about iPhones being hacked and converted into intelligence-gathering devices. A long section on risk mitigation warns on outsiders turning on “hot mikes” inside phones, of remote camera activation, of GPS location data being used to spy on users, and for spoofing credentials. While the NSA notes that iPhones are less susceptible to Bluetooth attacks than other smartphones, they are susceptible to exploitation via email spam and cellular networks.
While most of the NSA document reads like a standard best practices checklist, one thing stands out. The NSA seems to feel that human behavior on the part of an iPhone user is the biggest security liability--and endless suggestions are offered to mitigate the risk. One of the biggest risks for iPhones, according to the documents, is being plugged into an unsecured outlet for recharging. Security experts such as Brian Krebs have warned of the (possibly hypothetical) risk of "juice jacking"--rogue charging kiosks at airports or conventions secretly copying data from a victim's phone. As a precaution, the document recommends “provid[ing] additional AC outlet chargers” to users.
Another worry is that malicious users could use iPhones or iPads to secretly spy on offices. The NSA recommends that, for sensitive environments, iOS devices only be used in Airplane mode with Wi-Fi turned off. When that isn't feasible, the agency recommends leaving iPads and iPhones outside conference rooms or covering their cameras with opaque tape.
The NSA has been skittish about the use of smartphones in general by employees, and not just the switch away from BlackBerry devices. This past March, the agency expressed ambivalence that Defense Department employees (the NSA is a DoD agency) commonly use smartphones to conduct work business that previously would have been done on secure desktop computers. Meanwhile, agency employees are using specially modified Android phones with a unique 3G routing scheme.
[Image: Flickr user Andy Melton]