Account and Mobile Security
Recent revelations highlight that advanced mobile phone spyware (Pegasus) poses a serious surveillance threat. Quote The Guardian: What is Pegasus spyware and how does it hack phones? [archive]:
It is the name for perhaps the most powerful piece of spyware ever developed – certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met. ... Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix. ... Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.
The tool is already in use by many governments worldwide, posing a significant threat to journalists, human rights defenders and NGOs among others. It emphasizes that even the most security-conscious individuals cannot prevent such attacks, therefore those at high-risk should limit the use of mobiles for sensitive activities whenever possible:
- A compromised mobile phone could turn on the microphone and eavesdrop without any compromise indicator noticeable by the user.
- The audio leakage from keyboard typing can be used to infer the words up to a certain degree of accuracy. This might reveal passwords; see Microphone.
- Similar risks exist for the in-built camera.
- All content on the mobile phone can potentially be exfiltrated, including contacts, media, messages and documents.
- All browsing and communications history can potentially be monitored.
- Location data might be accessed by adversaries.
- Any other data or activities on the mobile phone is at risk of access/exfiltration.
SIM Swap Scam
Due to SIM Swap Scam and Malicious SMS Re-Routing, consider setting a registration lock. This prevents someone who has gotten access to your mobile number from re-registration without knowing the pin code for re-registration.
- Signal messenger: three dots → settings → privacy → scroll down → Registration Lock PIN
- Telegram: settings → privacy and security → two factor authentication
- WhatsApp: settings → account → Two-step verification
Malicious SMS Re-Routing
Two-factor Authentication (2FA)
Even users who are knowledgeable about bulk phishing or spear phishing can benefit from 2FA. See Two-factor Authentication (2FA).
Phone Number Security Compartmentalization
Consider using at least two different mobile phone numbers. One that you give to friends, colleges, etc. To real people. The other phone number you give only to banks and perhaps other money sensitive services that require SMS as a second factor or as a means to contact you.
The rationale behind this is that people you know might give your mobile number to others. Or their mobile phone may be hacked or stolen. Thereby or through other means your mobile number might end up being published on the internet. This might make you a target for SIM swap scam. However, if you used different phone numbers in different places, a SIM swap scam would cause less damage.
A phone which is being carried outside and daily is more likely to get stolen or robbed than a phone which most of the time is being kept in a safe(er) location. Thereby using your everyday phone, the thief at least does not get a chance to fraudulently access any bank accounts.
Due to possible SIM swap scam:
- Avoid using a phone number (SMS) for Two-factor authentication (2FA) whenever possible and use better options such as "google authenticator". It doesn't or shouldn't have to be literally be "google authenticator" but any alternative 2FA application. See 2FA for more information.
- Inform all contacts of a possible SIM swap scam. Should they receive any requests for money or other strange requests, encourage them to call you instead to confirm.
- Prefer messengers or other chat applications that support a Registration Lock PIN over SMS.
A lot more could be said about mobile security. However, the Whonix ™ project is not (yet) a mobile security software project. The reader might be interested in this Overview of Mobile Projects, that focus on either/and/or security, privacy, anonymity,
source-available, Freedom Software, de-googled, un-googled.
- Do not Use (Mobile) Phone Verification
- Phone Number Validation vs User Privacy
- Two-factor Authentication (2FA)
- Overview of Mobile Projects