Someone recently discussed with me how even Jeff Bezos’s phone could apparently be hacked so there was no hope for them. Well, I believe, there’s actually nothing you could do against a determined adversary.
It all comes down to the resources available at the attacker’s disposal. Think of a nation-state. Something that you can do is increase their required effort by following a few guidelines. This would ensure that only a few groups or organisations can target you, effectively making the effort economically infeasible to even bother doing for normal people.
Here is a list of such items. Some of the points below may seem paranoid but all of these have either been used at some point to attack an individual or an organisation or have been demonstrated to work practically. Everything is a real threat, though some may not be applicable to you because let’s face it, you might not be that important in the grand scheme of things. Assess your own threat level.
General security hygiene
- Visit monitor.firefox.com, find out (almost) all your personal data that is already dumped in the public. Change the passwords and do not reuse any. Sue the respective companies and demand compensation for leaking your personal data (Kidding! Just a joke. Like privacy.)
- Use two-factor authentication wherever you see it. Preferably, use a TOTP (time-based one-time password) app like Google Authenticator. Do not lose your 2-factor backup codes.
- Sometimes data and apps that claim to self-destruct or delete do not actually do so. Do not be stupid to generate and transmit content online that you do not want others to get hold of.
- The more new places with cool offers you sign up, the greater the chances of your personal data leak. Assume all your previous data is already public, and proceed from there.
- In case of dealing with authoritarian regimes, remember that platforms like Reddit do not provide you anonymity. The government can always request data from anyone. (Refer to transparency reports by the tech companies.) True anonymity takes a lot of effort to get right and you will probably screw up.
Mobile and your devices
- Turn on auto-update on all your devices, including mobile phones and laptops. This does not help in all cases though. Again, it is all about increasing the barrier.
- Mobile phones have hardware-based security and isolation so that random apps cannot read the call’s metadata (whom you talk to) unless you permit them to do so. There are extremely popular mobile apps that provide spam calls blocking, caller identification and SMS filter solutions that may not be as secure, and it might be possible to keep track of your call metadata, defeating the whole purpose of purchasing that phone for the price of a car. Restrict usage of these services or their permissions.
- Sometimes phone and app backups to the cloud are not encrypted, even when the phone itself is highly secure or the chat app uses end-to-end encryption. This includes iOS and Whatsapp backup on some platforms. In fact, just this week, there were reports about Apple scrapping plans to have fully secure iCloud backups of devices, allegedly on request from the FBI. Find out about yours, and do local encrypted backups if possible. (Sometimes, also helpful in case of ransomware lock-downs.)
- Wherever possible, disk encryption should be turned on (for example, Filevault2 on macOS). Again, remember things are not perfect. This is especially helpful when you hand over your dead or damaged device to the “authorised service center,” or your cabin bag containing the laptop is conveniently exchanged with an exact similar bag in an airplane’s overhead compartment, which you only notice after reaching home. (Check for possible hardware implants whenever you lose sight of your hardware for a long time and it is returned back to you.)
- Limit location data. Last I checked, Android was terrible in this respect. iOS is better, though “Significant Locations” stores data of all the places you have been to and even counts your visits (even that visit last month you wanted to hide). Turning it off has tradeoffs.
- Switching to new devices frequently helps if you are already under attack, with the adversary trying to remain undetected for a long period of time. It would usually take some effort on their part and a mistake on yours to compromise the new device again.
- Home WiFi routers are highly vulnerable and have been used as a component in a variety of attacks. At least, change the default password and update the firmware regularly. If possible, buy your own router instead of using the ISP provided one.
- Public networks like popular cafes can be used to do a lot of bad stuff. Avoid if possible (tether). Adversaries impersonating as a public network is not uncommon.
- Using commercial VPNs (virtual private networks) is like the lesser of two evils. If you know what you are doing, you can easily set up your own VPN server.
It is helpful to sometimes check your local WiFi for unknown or extra connected devices.
- As is already known, IoT based smart devices have terrible security vulnerabilities and non-existent support in terms of patches and updates. If possible, take all those smart devices and gift it to a neighbor who has been bothering you.
The physical-world you usually tend to ignore
- If a stranger asks for your phone to place a call since theirs is dead, keep monitoring their actions with the phone and stay close. (Also, cardio. In case they turn out to be just a common thief and run with it.)
- If what you have on your device is reasonably important, maybe don’t plug a friendly neighbor’s charger to your device in a coffee shop. Carry your own USB-C or whatever.
- If your work involves lots of travel, avoid typing your corporate passwords (which is sometimes also your personal password) while people are standing to deplane. Everyone can see it. Those passwords should already have been saved in your browser.
- If you are a frequent traveler there is a high probability of you getting mugged. Ensure that your devices are encrypted as discussed in the previous section.
Face ID is a terrible idea in my opinion. Maybe disable it when you travel. Also, remember that in dire situations where you are protected legally, pressing the power and volume button for some time brings the emergency SOS screen, which additionally locks your phone and disables Face ID until your pin is typed in again.
- Again, if what you do is reasonably important, disable the mic and camera on a hardware level (not possible for some devices, use DIY stuff). This is not being paranoid. Malware does exist and has been used in the past against activists and journalists that can record audio, take periodic screenshots, access camera, keep track of the hotspots you connect to, and even steal your crypto wallet keys. (Oh you poor thing still holding onto your Ethereums.)
To be honest, a lot of the problems might need a complete redesign of the internet and the way we think about personal devices, apps and permissions and the current model of storing data, which many of the vested entities might not be willing to invest in at the moment. If you are a journalist or an activist and you believe you might be under attack, contact the EFF Threat Lab. They might be able to help.