Remember that California bill to ban the sale of encrypted phones? It just got worse

encrypted-iphone.jpg

(Image: CNET/CBS Interactive)

A recently-amended California bill that would force phone or software makers, like Apple and Google, to decrypt data or face fines just got sizably bigger in scope.

California assembly member Jim Cooper (D-9th) introduced new state legislation that would require any new smartphone from 2017 onwards to be “capable of being decrypted and unlocked by its manufacturer or its operating system provider.”

That would impose a near-blanket ban on nearly all iPhones and many Android devices being sold across the state as they stand today, more often than not with unbreakable encryption that even the companies can’t unlock.

Cooper introduced amendments to the bill late last month that went largely unnoticed, but modified the scope at which a phone can be forcibly unlocked.

The new mandates the “ability to decrypt in response to any court order at any point, not just time of sale,” said Andrew Crocker, attorney at the Electronic Frontier Foundation, in a tweet.

That’s a wide expansion from the original version of the draft bill, which said that any phone sold in the state must at the time of sale have a backdoor to allow law enforcement to access that device’s data with a court order in hand.

It’s no surprise that Cooper has modified the bill, given the controversy surrounding the bill. The amended version will no longer fine tech companies and phone makers for each phone sold, but will instead face a $2,500 fine for each time a device cannot be accessed by law enforcement.

Cooper still has a way to go before the bill becomes law. The bill must pass the assembly and the state senate, and be signed into law by Gov. Jerry Brown (D).

Crocker said in a blog post earlier in March that the bill, if passed, “would leave law-abiding Californians at risk for identity theft, data breach, stalking, and other invasions of privacy, with little benefit to law enforcement.”

“It would be both ineffective and impossible to enforce,” said Crocker, “and, if that weren’t enough, it suffers from serious constitutional infirmities.”

Despite the controversy around the bill, that hasn’t stopped Cooper himself using an iPhone, despite saying on Twitter that Apple was “risking our national security and the safety of our kids” by building devices with unbreakable encryption.

Asm. Jim Cooper tweeting a selfie from his iPhone in mid-March. (Screenshot via Jim Cooper/Twitter)

Cooper’s office did not return a call Friday.

SecurityScorecard Offers Free Cybersecurity Assessment

New security assessment tool provides a security “posture score” based on their protection-level and flaws in the network.

Security services vendor SecurityScorecard rolled out a free security assessment tool yesterday that scans weaknesses and vulnerabilities across an organization’s network and delivers a status report with a snapshot of security flaws within the infrastructure.

The security assessment includes a “security rating” and “posture score” based on Internet traffic to and from an organization. An organization’s security rating is based on on several factors including end-of-life products, hacker chatter, social engineering, patching frequency, dorking, and malware.

The assessment process monitors and classifies risks associated with the application, network, and password security for any third- and fourth party vendors as well. The goal of the assessment is to provide companies insight into how secure their organization is compared with competitors in their vertical industry.

“It’s not practical to completely rely on questionnaires and penetration tests to determine the security posture of 3rd party vendors,” said Michael Belloise, director of information security at TriNet, which uses SecurityScorecard’s service. “In addition to questionable accuracy, it only provides us with a point in time assessment and may not accurately reflect the true cybersecurity risk of doing business with someone.”

Read more about the Free SecurityScorecard assessment here

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

What You Need to Know About Stagefright

Any mention of stage fright transports us to our schooldays when we had to go up on stage to recite an oh-so-long poem, or act out a part in a play or sing a song. The jitters that came along! Oh yes, we all may have suffered from stage fright to some degree.

But when I talk about Stagefright in this blog, it refers to a new cyber threat – a malware that is potentially scarier. In July 2015, security experts discovered several vulnerabilities in the Android operating systems that cybercriminals were targeting with the intent to steal personal data stored on our smartphones. Experts named this group of malicious code “Stagefright,”which is a nickname for the media libraries found in operating systems of our Android smartphones. Intel Security’s Mobile Threat Report for 2016 found that the count of Android-based devices detecting the Stagefright-based exploits has remained steady in Q4 2015.

So how dangerous is Stagefright and why should we be concerned? Well, it allows cybercriminals to remotely execute a code on a user’s phone by sending a specially designed MMS message. All that a cybercriminal requires is the target’s phone number to launch the attack. The attacker can then implant a remote access tool that gives them full access to your device.

This attack could happen while your phone is being charged. This means that the user has no hand in enabling the malicious code on his device, say through clicking on an infected link or downloading a malicious file.

There are even reports about the use of specially designed MP3 and MP4 files used to launch the Stagefright attack. This makes the situation even more pressing here as India has a booming smartphone market and a majority of the smartphone owners rely on the Android ecosystem.

While device manufacturers take note of such macro threats and share regular patches with customers, we must be vigilant every step of the way.

Stagefright

If you are an Android phone user, it is important for you to know the risks that could affect your device and how to protect yourself. So what can you do to keep your device secured and stay safe?

  • Update your device regularly: enable auto updates, for both the operating system and security tools. Yes, even if it means a 10-minute delay in starting your work because the Android tablet or smartphone needs to install updates and restart. While it may be inconvenient it is a small sacrifice to make for the safety of your personal information online
  • Secure all devices: All your devices (and not just the Android-based ones) with comprehensive security software from a reputable brand.
  • Turn off auto open feature: Because MMS-based messages and later, MP3 & MP4 files, were used to introduce the bug it’s wise to keep the auto-open MMS messages feature turned off. Similarly, disable auto-download or opening of files. This will allow you to personally verify authenticity of the source before you open a message or document
  • Err on the side of caution: It is better that you be suspicious and check files and messages before opening them than to be too trusting and fall prey to a cyberattack.

And always remember the cybersafety mantra I share frequently- STOP. THINK. CONNECT.

Don’t act in haste, make time to check and consider all options and consequences before you click on the ‘open’ tab.

Stay safe online!