If there's a difference between John McAfee and Eugene Kaspersky in their public speaking behaviour, it's more in their tones of voice than in the paranoia of the message. Perhaps because he's 70 years old (or perhaps because he's practicing a presidential bearing), McAfee speaks more slowly and more quietly than Kaspersky.
But the the presidential candidate and self-described “oldest living” practitioner of information security still scared the daylights out of an audience of sysadmins at the Lawtech 2015 conference on Australia's Gold Coast today, demonstrating the insecurity of their Android mobes with the first live-phish Vulture South has seen outside a hacker conference.
McAfee told the IT-managers-to-the-law who attend the conference the smartphone is fundamentally incompatible with the sensitivity of what any law company deals with on its network.
The reason – at least in the Google Android ecosystem – is simple. People are worth money in the Android ecosystem.
As the medium of exchange, he said, apps gather information that gets correlated and sold – “the average person … is worth about US$800 per person. You are paying in loss of privacy.”
That's why apps demand excessive permissions; and once those permissions are granted, there's damn little you can do about it, apart from removing the app.
Phishing sysadmins for fun
By way of demonstration, McAfee live-phished the conference attendees.
He had a flashlight-style app written for the conference; by the simple expedient of asking people to write something on their notepads, photograph it, and press “send”, he got at least some of the attendees to okay the permissions, which let the app use the front camera to take a photo of the user, and their e-mail app.
“There's not a single flashlight app that's not spying on you right now,” he said, simply because of the permissions we grant to apps.
“It took about three hours to program this, to turn on the flash, take a picture, and send it to me via e-mail – your e-mail by the way. It's so easy.
Put down that bible
“In America we have bible-reading applications: every single one of those applications asks permission to turn on your microphone, your camera, it wants permission to read your e-mails and the right to send e-mails wherever it chooses.”
The permissions also include SMS, video, photos, all of which can be wrapped up and sent to a fundamental religious group called “Focus on the Family”, he said.
“That scares me,” he said.
Fitting his angle to the audience, McAfee pointed out that everything that passes through a lawyer's e-mail is, after all, sensitive, whether it's facts or pleas, assertions or fees – and all of it, if a user okays excessive permissions, is available to an app.
It might sound paranoid, telling an audience that a smartphone is never truly “off” – that it could spend a night reading e-mails, sending them “home”, and resetting the flag to “unread” with only a battery drain to show for it – but what if the app doing that was collecting information that might be sellable to some other lawyer?
“You've said yes to the terms and conditions,” he said – meaning “yes, the app and its publisher can do whatever they please”.
Surely out of all of the lawyers in the world, he pointed out, there must be some just that little bit corrupt that they could convince themselves it's okay to buy information on that basis?
“You think that can't happen to a small law firm? You are wrong,” he said. The scammers, criminals and malicious will pick off the big targets first, and “sweep the rest up off the ground later”.
Everyone in the audience – El Reg would guess this advice would remain unchanged for any IT audience – needs to take the bad news to the boss: either get smartphones and fondleslabs off the business network, or get them locked down (and yes, he did have a product pitch).
And it's not, he emphasised, good enough to merely resist the rise of BYOD, if people can still access corporate e-mail when they get home.
“You've along for a long time without having to think or take any action”, he said. “Now, we're going have to take some of that back, take some responsibility for our lives.”
And the product pitch? There were two, but McAfee noted that there are other options, including hiring developers to do the lock-down for you.
The first is an app called Decentral 1 that combs apps so you know what permissions the owner has granted – “you've got 27 apps spying on your via microphone and camera, 23 that are using your e-mail, 19 using text messages” and so on.
The other, D-Vasive, is the lock-down app, letting you override those permissions. ®