Wikileaks CIA documents raise hacking fears — should we worry about our devices?
100 per cent certainty may be impossible, but consumers can take steps to protect themselves
Explosive allegations this week out of Wikileaks that U.S. intelligence agencies are surreptitiously spying on us using our devices has prompted many consumers to worry if their data privacy is at risk.
In a data dump of more than 8,000 documents purportedly coming from inside the CIA, Wikileaks alleges that intelligence agencies have developed malware that can turn iPhones, Android devices and Samsung smart TVs into covert listening devices.
Give the preponderance of internet-connected devices in our lives, many consumers are naturally concerned about what Big Brother might be listening to, and how confident they should be in their data security.
"I'm not confident at all," says Justin Oliver, who was in small phone-repair shop in Toronto this week. He was there for a quick fix of a broken screen on his Samsung smartphone, but he's nowhere near as confident in a permanent fix for his data security.
"I think people can gain access to information any way they choose ... to access an IP address or my phone would probably not be that difficult for someone who's advanced."
Daniel Tobok, the CEO of Cytelligence and a cyber security expert, says there's no such thing as 100 per cent security, even before this week's events. "The bad guys out there ... have access to a lot of crazy tools," he says.
The techniques alleged in the Wikileaks documents may represent a new front, but the reality is that widespread and blanket espionage just isn't feasible.
"I don't think the average Canadian needs to be concerned right off the bat," Tobok says, "but there's definitely a little bit of concern that everybody should have and just be a little bit more cautious."
Tobok and others say consumers' best defence against hacking should be very familiar to them: avoid doing sensitive things on public Wi-Fi, use different secure passwords for accounts and devices, and change them often.
But consumers should also give more thought to what sort of permissions they blindly hand over to apps they've downloaded to their smartphones, or smart devices in their own homes. Wireless routers, for example, are among the most insecure devices in most homes, yet they are point of contact for just about every other device transmitting sensitive information.
Consumers would do well to ask why an app downloaded on to their smartphone is demanding access to their email and microphone. Or why a smart television is tracking what people are watching.
"As long as you're up to date and you're aware, you'll eliminate 90 plus per cent of the threats out there," Tobok says. "Common sense is really key here."
Part of the concern with Wikileaks allegations: if government agencies have access, who else might? As Wikileaks said in a release: "If the CIA can discover such vulnerabilities so can others."
Tobok says consumers take some comfort from the notion that governments are at least nominally obligated to obey protocols and comply with laws when seeking information on consumers devices. But rogue groups such as organized crime cartels have no such compunctions.
"It becomes like the wild, wild, west if you have organized crime and other unfriendly states to Canada and the U.S., for example, that are using these tools against us," Tobok says.
While he agrees that consumers are far too lax about privacy issues, Ryerson professor Alex Ferworn says fears of widespread surveillance using hacked devices are largely overblown.
'Little to worry about'
He cites the example of someone talking loudly on a cellphone on a crowded bus, sharing intimate information for all to hear — "but somehow we're concerned that somebody's going to sneak into our phone at night."
Despite password-guessing tools that can crack a weak password in a matter of minutes, "the average Canadian probably has very little to worry about," he says.
Businesses, meanwhile, have more at stake. Cybersecurity breaches affect their bottom lines as they deal with angry customers.
"I'm not that worried about it, but in all fairness, if I was a corporation I might be a little more worried," says shopper Justin Oliver.
The cold, hard reality is that hacks can and will happen, which is why one company thinks the focus should be not on prevention, but detection.
"The hackers are getting smarter," says Niranjan Mayya, founder and CEO of Rank Software, a Toronto–based technology company that helps businesses detect breaches — because they can't really be fully prevented.
Mayya says statistics show that it can take a typical company up to six months to even figure out that systems have been infiltrated — an ocean of time for a hacker to collect valuable data before the company closes the back door and changes the locks.
Unlike others, "we have accepted the fact that you are going to or have already been breached," he says.
That may be cold comfort to consumers, but the reality for most people is that the ability to guard against all but the most persistent hacking attempts is largely in their own hands.
As Ferworn puts it, we must "stop relying on our cellular devices as much as we're doing if we want to be private."