With the increasing attention being paid to the internet of things security concerns by legislators at both the state and federal levels, it’s worth considering the implications of the connected sensors that we carry with us everywhere we go -- those in our smartphones. Whether an agency has government-issued devices, official bring-your-own-device policies or a shadow BYOD system resulting from onerous smartphone restrictions, it’s vital IT managers understand the potential hazards associated with these most personal of sensors.
Smartphones are jam-packed with a variety of sensors that provide real-time data collection about everything from a device’s movement to its environment. Consider the collection of sensors in the iPhone Xs, for example.
- Face ID (facial recognition): Scans the user’s face as part of the authentication process.
- Barometer: Measures the device’s altitude based on ambient pressure.
- Motion sensors (gyroscope, accelerometer and digital compass): Measure the device’s motion, including rotation, acceleration and direction.
- Proximity sensor: Measures the distance of an object (like a user’s ear during a phone call) from the touchscreen.
- Ambient light sensor: Measures the light level in the device’s environment for adjusting screen brightness.
- Two cameras: Enable photo/video capture and streaming video.
- Four microphones: Enable phone calls, Siri usage, audio memos and more.
- GPS: Calculates the device’s location.
- NFC: Enables Apple Pay (contactless payment) and more.
- 3D Touch (pressure-sensitive display): Enables different options based on varying degrees of touchscreen force.
To combat the abuse of smartphone sensors, both iOS and Android have implemented permission models. In theory, it’s up to the user to explicitly approve access to certain sensors by an app or mobile website. In practice, however, permissions often obfuscate -- maliciously or unintentionally -- the requested access.
The potential for abuse of smartphone sensors is enormous, whether for surveillance capitalism (data collection and user tracking for the purposes of targeted advertising) or just outright surveillance. We’ve already seen hackers remotely hijack smartphone cameras and microphones as a surveillance technique.