Are These Cell Phones a Security Risk?

With the recent reports of potential spying issues related to Huawei and ZTE smartphones, examines the risks.

With the recent reports of potential spying issues related to Huawei and ZTE phones, thought it should take a look at the possible risks and consequences. 

(Image courtesy of ZTE.)

(Image courtesy of ZTE.)

Software, Firmware and Hardware

A smartphone is basically a handheld computer with cellular and Wi-Fi communication technologies built into it. Every computer has three basic layers: software, firmware and hardware. How does each layer pose a security risk?

Hardware is the electronic circuitry that does the actual work of the phone. Hardware is general-purpose in that it has many capabilities—it just needs to be told what to do. Fortunately you don’t need to understand hardware in order to operate a computer, just like you don’t need to be an automotive engineer to drive a car. The hardware itself doesn’t pose a security risk. It just follows orders. 

Software is the operating systemand application programs (apps)on the device. It’s called “software” because you can’t actually get your hands on it. It’s just a set of binary codes. Usually programs reside on a mass storage device like a drive—flash memory, in the case of a phone—and are loaded into the computer’s random access memory (RAM) when they launch. Apps are the easiest place to put malware because virtually anyone can write an app—not in binary, but in a high-level language translated into binary by a software compiler—and it’s not difficult to embed malicious code into an otherwise useful program. Most phones have the ability to ensure that an app doesn’t run unless it was downloaded from a trusted app store, so this type of malware is easy to stop. 

In between the hardware and software layers resides a hidden layer: firmware. It’s called firmwarebecause it’s a program, like software, but permanently “burned” into the hardware. Firmware is a set of low-level instructions that allow apps to control the hardware without app developers actually knowing how the hardware works, just like programmers can write a “Hello world” program in C++ without knowing how a video card works. Firmware gives apps access to the hardware, but that access is limited The firmware allows software to run certain processes while blocking access to “secure” functions.  

Unlike application software, which is loaded into RAM when launched and unloaded when closed, firmware resides on a computer’s non-volatile read-only memory (ROM) and constantly runs in the background. And therein lies the security risk. 

Firmware Is Always Active

Because firmware is the interface between hardware and software, it’s always running in the background and has access to every feature of the smartphone. This means that the firmware is all-powerful. And, as we know, power can be dangerous. If a malicious company wanted to embed some nefarious code into its devices, firmware is the place to put it, and it would be very difficult to detect. 

So how does this affect the average smartphone user?

It’s a Matter of Trust

In theory, any smartphone manufacturer could embed spyware into its products, allowing digital eavesdroppers to record calls, texts, and data accesses. Huawei and ZTE have been singled out because they have strong ties to the Chinese government. U.S. security officials are discouraging government agencies from using phones made by these companies, citing potential security risks, but never elaborating on what those risks might be. Huawei and ZTE, obviously, are denying any reports of spyware embedded in their phones. 

If you’re wondering whether it’s okay to use smartphones made by Huawei and ZTE, you have to ask yourself a few questions.

Who can be trusted?When I’m trying to assess someone’s honesty, I first ask, “What’s their incentive to lie?” Quite frequently, the answer is either money or power. 

What’s the risk to me?I suppose if I worked in the intelligence industry or ran a multi-million-dollar business, then I should be concerned about someone spying on my communications. But the most interesting conversation on my phone is when my wife calls me from the craft beer section of the grocery store to tell me what’s on sale. If I see a cadre of Chinese spies at Woodman’s taking advantage of a good deal on Goose Island Honker’s Ale, then I’ll know they’re watching me. 

The digital age gives us ubiquitous connectivity; that convenience is a double-edged sword. Every day we read websites, make phone calls and engage in social media. All of those activities are tracked by Internet providers, telecommunication companies and advertisers. If you want complete privacy, then stay off the internet…and wrap your phone in several layers of tin foil. 


Follow Dr. Tom Lombardo on Twitter,  LinkedInGoogle+and Facebook.