Stuart Lyle who works for a network operator in the UK has kindly written a guest blog for me today on the latest issue to hit Android. More details on Stuart can be found at the bottom of the post.
This is a very real, very valid vulnerability and HTC have made what I would professionally describe as a cock up. Other vendors have undoubtedly done worse and will do worse in the future. One can also have a very long debate as to whether or not the guys at Android Police have acted responsibly in publicly disclosing this so soon after private disclosure to HTC. I‘m not going to get drawn into that debate – I’ll leave that one to others who have more valid opinions.
My take on the whole issue is one of moderate indifference. I read it yesterday, got a bit concerned by it and then I shrugged my shoulders and uttered a noise I can only describe as “meh”. I can’t change the problem and I can’t fix the problem so I have to view it pragmatically and sensibly and consider the broad questions of what is the impact to me and what is the impact of it on customers.
Impact to me? Well, I don’t use a HTC device so, harsh as it may seem, I’m all right Jack! My data and my behaviour aren’t going to be compromised, at least not through this vulnerability anyway.
Having done some reading and some checking, it would seem that some of the handsets referenced in the disclosure aren’t on the open market and those that are available have not been available for long. This is also good. That means that there aren’t going to be millions of these devices in use by customers. That starts to make me more comfortable in terms of impact. It would also seem, through some conjecture by boffins who know this sort of stuff, that it will be easy to fix. Again, more comfort. I’m almost relaxed now. Almost.
Do you see what I’m doing here? It’s not rocket science – I’m pragmatically trying to work out if this is really something I need to invest a whole heap of my effort in. I’m asking myself how important this really is to me, my life, my business and my customers. My response, given the limited resources I work with, has to be commensurate to the risk that it causes and the impact of that risk should it come to pass. I can rant about how HTC have been a bit daft here all I like (and many on the Internet no doubt will) but it’s not something I can directly influence or change easily.
Some of the thought processes I’m going through here are described in a great book I read recently. I gave a copy of the book to all of my security team (I’m not that generous, I’ve got a small team!). It’s called “Shut Up, Move On” by Paul McGee – or SUMO®. It describes a method and tools for dealing with challenge or change and part of it is really about how we can react to adverse solutions with a positive attitude. I’d encourage anyone to buy and read the book and think about how those techniques are also relevant in a security context. I’d particularly also encourage you to download the “7 Questions SUMO® cartoon” PDF from Paul’s web site – and think about how those questions can be helpful when faced with a security threat like this one. You might find it useful, you might not. I certainly do.
In any event and irrespective of how we, as a security community, react to the incident what is really important now is how HTC respond to this; both technically and publicly. I was somewhat disheartened to see the quote from them on the BBC article – “HTC takes our customers’ security very seriously” – as it’s just a very old, very standard stock response line and it doesn’t fill me with confidence. Crisis response and the effect that a bit of bad PR can have on brand is, however, another job for another blog another time.
Stuart Lyle CEng CITP MBCS AMBCI CISA CRISC
Stuart has been working in the mobile industry for 15 years and has, throughout that time, worked in a variety of roles across fraud, security, risk, continuity and compliance. Currently leading a small but focussed security team at a UK mobile network provider, Stuart also holds the position of industry vice chair at the Network Security Information Exchange within CPNI and has also chaired a local collaboration forum for Business Continuity across the Berkshire region. You can find out more about Stuart on his AboutMe page. Stuart is a guest blogger on this site in a personal capacity – these views and comments are all his and not those of his employer.