Boris Johnson’s phone number breach fails to prompt tighter security – POLITICO
LONDON — The fact that U.K. Prime Minister Boris Johnson’s phone number was just sitting about on the internet for more than a decade should have raised alarms around the security of the government’s mobile communications.
It did not.
Johnson’s previous number no longer connects, though Downing Street declined to confirm he had changed his phone number. Still, the cellphone numbers of multiple government ministers and MPs remain in the public domain — often with little or no concern about how that may put them at risk.
After Johnson’s number garnered widespread attention, no edict went out to Cabinet ministers, let alone to more junior MPs, encouraging them to change their numbers.
Lawmakers have judged that changing a phone number and smartphone might not do all that much to deter would-be hackers, while the effort required may be more trouble than its worth.
Security experts agree that a one-time change is unlikely to make much difference.
To deter hackers, either from foreign governments or those trying to make a quick buck, Johnson and other senior British ministers should use disposable phones, known as burners, with few features, and change them, including the numbers, often, according to Daniel Maki, intelligence lead and digital risk officer at the Institute for Strategic Dialogue, a think tank in London.
“Start using burner phones,” he said. “Have a bunch of them on the go.”
Such a culture shift would entail undoing years of low security communications culture, based on POLITICO’s discussions with outside security experts and several U.K. politicians.
It is still common for local British councillors to post their cellphone numbers on the internet for the public to get in touch, and these councillors often go on to more senior roles in national government. Other politicians regularly put their numbers on press releases, as Johnson did, or a leaflet that can still kick around online years after its initial publication.
Among lawmakers who spoke to POLITICO, there’s a sense the fight to protect their communications has already been lost. One U.K. minister, who spoke on condition of anonymity, said colleagues would question what the point would be of making changes in the hope of cutting off malign access to their devices because China’s security agencies most likely already had access.
A former senior British security official also said that while having a mobile number would make it easier to hack a device, it would be straightforward enough without access to the number that an assumption that all devices are compromised is probably justified.
Keys to the castle
Maki, the security specialist, said having a number in the public domain for 15 years — even if it had then been replaced — would continue to be a risk for Johnson. Repeated calls to the Johnson’s former number said it was switched off.
The number most likely had been sent phishing texts containing dangerous links similar to those which compromised the email account of U.S Democratic Party official John Podesta. That leak allowed Russian-backed groups to gain access to sensitive documents, which were then leaked during the 2016 presidential election, according to the country’s national intelligence agencies.
“Someone sends him a text message, he clicks the link in the text thinking it’s legitimate, and boom. Keys to the castle,” said Maki.
Once infiltrated, hackers might have created backdoors into other accounts like emails and digital membership used on the phone, making them vulnerable beyond the phone itself. The process is called “establishing resistance,” and is the equivalent of breaking into a house while also unlocking all the other doors. The house, in this case, is Johnson’s digital identity.
There is no evidence that Johnson’s phone had been accessed in this way.
Another technique to infiltrate politicians’ phones would be to “spoof” his number to receive two-factor authentication codes intended for Johnson, meaning other accounts he had used would become easier to hack. Two-factor authentication is a security system that requires inputting a digital code sent via text message to access an online account.
As Johnson had his old number since at least 2006, it will almost certainly be linked to numerous other accounts, according to security experts. A search of the so-called “deep web” conducted by POLITICO produced email addresses from his time at the Spectator, the British magazine, running London as the city’s major and for his tenure at the country’s Foreign Office.
If someone had worked out how to previously compromise those organizations, Johnson’s email addresses would have become other target points for hackers to find compromising information on the British prime minister.
“With a phone number and email addresses, even if they are old, you’ve got the tools to begin to try and map out other ways of gaining access to more sensitive information, or to set up monitoring,” said Maki.
A government may have also been able to target his number if he had visited a foreign country and connected to a domestic telecom or internet network, possibly creating digital backdoors to his accounts for future access. Some smartphone apps, including the internet messaging service WhatsApp, may broadcast his new number to people he had connected with in the past, raising the risk of fresh phishing attacks, based on POLITICO’s review of online activity.
Security experts suggested the best approach was to assume every device is compromised — and act accordingly. Yet that theory has a gaping flaw: politicians are not heeding that advice.
That’s where a series of burner phones for the likes of Johnson would come in.
“It’s a pain,” said Maki. “But you’re the prime minister, so it’s worth it.”
This article is part of POLITICO’s premium Tech policy coverage: Pro Technology. Our expert journalism and suite of policy intelligence tools allow you to seamlessly search, track and understand the developments and stakeholders shaping EU Tech policy and driving decisions impacting your industry. Email [email protected] with the code ‘TECH’ for a complimentary trial.