The private, unfiltered conversations of candidates and their staff are the fuel that run campaigns. But some of these conversations may have uninvited guests: sophisticated hacking groups listening through participants’ compromised smartphones.
With live microphones capturing everything from strategy discussions among senior staff to a candidate’s candid thoughts in private moments, bad actors can use the inside information gained from these breaches to hurt a candidate’s chances of being elected.
My company, Privoro, has chosen to initially focus on tackling security problems around smartphones because these devices are indispensable and yet can too easily be turned into instruments for illicit data capture. We’ve seen this play out in certain international markets, where it seems to be an accepted fact that anyone with access to high-value information is a target for smartphone compromise.
For campaign professionals in the United States, the clearest danger is probably illicit access to personal devices (especially smartphones) and accounts, as these provide a gateway to the informal, private information that can most cripple a campaign.
Here the experience of campaign operatives in Latin America, Africa, and the Middle East is illustrative. There cutthroat political environments mean that candidates must assume that their opponents — or the government in power — are using digital eavesdropping to listen in on their conversations. At the center of these eavesdropping efforts is a candidate’s smartphone, which can be remotely infected with advanced spyware and essentially turned into a live bug that’s generally always in range of the candidate’s discussions with staff, family and friends.
A great example of this phenomenon at work takes place in Panama, where Ricardo Martinelli, the former president, was accused by the Panamanian government of illegally spying on more than 150 of his political enemies via their smartphones. Martinelli allegedly purchased the infamous Pegasus spyware, which provides a number of spying functions, including the ability to remotely activate a mobile device’s microphones in order to perform live eavesdropping.
According to court documents, Martinelli formed a spying team that used the spyware to monitor targets’ political discussions and strategy meetings, as well as their private conversations with family and other personal affairs. One such conversation that was captured involved an opposition deputy being accused of infidelity by her husband — the audio was later edited and then uploaded to YouTube. In other cases, Martinelli published information gathered from his eavesdropping efforts in media outlets that he owned.
In addition to the Martinelli case and similar cases in Mexico and elsewhere, there are likely many more instances of smartphone-based eavesdropping against politicians – including those within the United States – that haven’t been publicized. One reason for this is simply that advanced spyware is difficult to detect, as it typically exploits zero-day vulnerabilities within smartphones and thus evades most forms of detection.
This is especially true for a campaign, where cybersecurity is almost always given a backseat to fundraising and operational expediency. Another contributing factor is that if the smartphone of a candidate or member of the senior staff is indeed found to be infected with microphone-hijacking spyware, the campaign has every reason to keep this news under wraps for fear that it could derail the candidate’s message and distract voters.
Battling smartphone-based eavesdropping
To keep the threat of smartphone-based eavesdropping from derailing your campaign, it pays to start with training. The candidate and senior staff should be trained to recognize and avoid social engineering attempts — especially suspicious links sent via SMS, as these are still the most common delivery mechanism for spyware.
At the very least, these key people should be made aware that their smartphones can be turned into live bugs, perhaps leading them to keep their smartphones at a distance when discussing the most sensitive details of the campaign. Ideally, the candidate and top staff members should be provided with an anti-surveillance smartphone add-on to physically mask the audio being fed into the microphones so that it’s unintelligible to a potential hacker listening on the other side.
Smartphone-based eavesdropping is poised to join email hacks, document dumps and misinformation campaigns in the election hacking toolkit.
Michael Campbell is the Director of Federal and Government Business at Privoro.