It appears that President Trump remains committed to his elderly Android phone. This has caused a flurry of speculation on the risks of doing so. There was a similar debate about President Obama retaining his Blackberry when he took office.

This was a subject I discussed with the US Secret Service during one Obama’s State Visits; and sensibly there are limits on what can be said publicly, so I will avoid going into specifics.

So, what are the Risks here?

• Access to sensitive information on an unencrypted device? Physical access to the device allowing access to data at rest, or account credentials – usernames and passwords. Unlikely, the device is in the jacket pocket of the US President – there are adequate physical controls. This was viewed as adequately managed.
• Remote access to data? This is a more significant risk. If it is a stock devices, running an old version of Android there are unpatched vulnerabilities that allow an attacker to obtain information from the device. At Rest storage encryption doesn’t help here. This remains a risk, and is a good reason for retiring the device. Especially given that obtaining credentials for e-mail and Twitter accounts could be a extremely usedful for an attacker. It is quite possible that this would both as a result of a targeted attack on President Trump or an untargeted attack that just sweeps up all credentials from any device they can find.
• Evesdropping? Again these are attacks against vulnerable, unpatched, devices, and they are available to foreign intelligence services. These attacks enable the device to become a sophisticated bug in any room. Such an attack would be of great interest to foreign governments in giving access to sensitive and non-public discussions. This is going to be a highly targeted attack by highly capable attackers and a significant security threat.
• Location tracking. A mobile phone of any nature has to talk to a network to operate, and that, as well as any compromise of a smartphone to get it to report location. This can be used to understand where it is at any time, and any pattern of movement. It is extremely valuable information that can support both a direct attack on an individual, and to obtain information on who they meet and regular patterns of behaviour. Location can leak by many paths, data in images, social media posts, and is frequently overlooked. This location tracking threat is a critical concern to the physical protection of a VIP.

So, if your Risk Assessment indicates risks that you are unable to accept as part of your business, what controls can be used?

Require a device with patched software and applications that are still under support. Your employee may like their old Galaxy S3, but is their using is a risk to your business? It is at this point that BYOD meets security and should be addressed in the mobile working policy (“BYOD, but not any device”) – unless you are confident in securing and supporting every mobile phone made in the last fifteen years.

The use of an always on VPN, bringing all data traffic back to a point where it can be monitored for abnormal or unusual behaviour. Not all data can be monitored, unless you wish to compromise TLS connections, and users may (quite rightly) object to that on devices they also conduct personal business on. Monitoring, and acting on, unusual connections and activities is normally sufficient.

Periodic audit of the device to identify any unusual or unauthorised software or apps. Either using software continually running on the device, or by periodically inspecting the device with tools.

Controls over where devices are not allowed. If there are particularly sensitive areas in a business, or sensitive conversations, then ban devices. Provide small lockers to allow users to store them outside of the area.

Advice, guidance and training for users. And record when it has been delivered.

Remote disabling or wiping of the device.

Remote application execution: VDI for mobiles, or deliver all information through TLS browser sessions without requiring apps and data storage on the device.

The only control normally beyond the reach of a business is to use a private, closed, network with technologies to prevent RF or network based user tracking. But you would only use that in the most critical of cases…