Now that the list of victims of mobile spyware includes household names like Jeff Bezos, many security professionals are well aware that any commercial smartphone can be remotely compromised and essentially turned into a live bug that hears everything the user says and hears. But while the threat of smartphone-based eavesdropping is often viewed solely in terms of the target, in reality, threat actors frequently place their sights on members of the target’s inner circle in the hopes of capturing conversations with the target or bits of valuable information reshared after the fact. It’s important to understand the group dynamics at play in order to better protect against the risks to the target and the organization.

Conversation’s social element

To understand why threat actors cast a wide net when it comes to smartphone-based eavesdropping, it’s helpful to look at how sensitive information is shared within and beyond an organization.

In general, people only willingly share sensitive, high-value information with those they trust.

One way to look at a person’s network is as a series of concentric circles of trust, with the person in the center surrounded by a series of increasingly bigger (and increasingly less trusted) circles of people. The person’s inner circle consists of anyone with whom they can speak freely about sensitive matters – typically trusted colleagues, immediate family and close friends. The person’s outer circle consists of anyone else, from mere acquaintances to complete strangers. In the case of a CEO, their inner circle may include the C-suite, allowing the executive to freely share company strategy and other confidential details with this group.

Of course, everybody has a unique inner circle, and two different participants in a conversation will likely have inner circles that don’t perfectly overlap. So if the CEO tells a company secret to the CTO, for instance, the CTO may share that secret with key subordinates or their spouse, even though the CEO may wish to keep those details within the executive team.

Another dimension to this concept is that not everybody within one’s trust circle will necessarily be trustworthy, due to carelessness or, in rare cases, malicious intent. For example, the CFO and CMO may discuss the secret originally shared by the CEO in an office with the door open, not realizing that people outside the office may be able to overhear.

In sum, these social dynamics mean that sensitive details may be reshared, willingly or inadvertently, beyond the inner circle of the person who originally shared them.

Smartphone eavesdropping in practice

Given that every high-value conversation involves at least two parties and that sensitive information can spread far from the source, it’s easy to see why spies – whether competitors, state-sponsored hacking groups or foreign intelligence services – often expand the scope of their smartphone eavesdropping to members of the target’s inner circle and sometimes beyond. Even if the spies can compromise a single smartphone belonging to a member of the target’s inner circle, that device provides an ear into direct conversations with the target, if only sporadically, as well as bits and pieces of information shared by the member of the inner circle. And while any given audio capture may be valuable on its own, the aggregation of individual data points often paints a more valuable picture.

To see how this phenomenon plays out in real life, let’s look at a couple of well-publicized examples from the last couple of years.

Perhaps the most notable case is that of slain journalist Jamal Khashoggi, who earned the ire of the Saudi government for his vocal criticism of the kingdom. While it appears that the Saudi government did not compromise Khashoggi’s smartphone (though they may have tried), they were able to hack the smartphone of Omar Abdulaziz, one of his friends, using the infamous Pegasus spyware. According to a lawsuit filed by Abdulaziz against the maker of the microphone-hijacking spyware, the Saudi government was able to access Abdulaziz’s conversations with Khashoggi and the information captured from these conversations ultimately contributed to the journalist’s murder.

In another case, it was revealed in 2017 that then-White House Chief of Staff John Kelly’s personal smartphone was hacked. Though many of the details of the compromise aren’t publicly known, some believe that, given the hallmarks of the attack, it likely involved the use of sophisticated spyware at the hands of an adversarial nation-state. If that’s the case, the adversarial country no doubt wanted to capture Kelly’s conversations with President Trump and other members of his staff. Such information could give the nation listening on the other end an undue advantage by learning about the White House’s key strategies, innerworkings and even behavioral tendencies.

A numbers game

Every organization working with sensitive information has a different risk profile, but in general, it’s always better to extend the circle of eavesdropping protections around each target. Covering a greater number of participants in the extended circles not only means a smaller probability of actionable information being captured by threat actors, but also greater productivity due to fewer restrictions on the verbal exchange of sensitive information.

Of course, providing protections against smartphone eavesdropping for everyone within an organization is resource-intensive and not always the best use of limited security dollars. But the following game plan can help you decide where to focus your attention: 

1. Identify the key targets within your organization. These targets are the ones regularly having conversations involving the most sensitive information. While members of the C-suite likely fit this criterion, there are also roles in other areas – like legal, engineering and sales – that may be targets, as well.
2. Define likely circumstances in which employees may become targets. For example, an employee may become a target while traveling internationally or if involved in merger and acquisition discussions with another company.
3. Choose one or more workable solutions for protecting targets. Key targets may require a high-security hardware solution (like an anti-surveillance add-on for smartphones), while software-based tools – like mobile threat defense (MTD) – may be appropriate for others.
4. Prioritize a solution rollout. Ensure that key targets are protected before committing time, energy and money protecting those within their inner circles and beyond.

Not every conversation is a matter of life and death or boom and bust. However, ambitious adversaries have the patience and tools to parse through conversation after conversation in search of an exploitable piece of information. An organization’s best hope of keeping its information secure as it spreads via word of mouth is to simply reduce the number of these conversations exposed to attackers in the first place.