No products in the cart.
LONDON – The fact that UK Prime Minister Boris Johnson’s phone number has been on the internet for more than a decade should have sounded the alarm to keep government mobile communications safe.
It has not.
Johnson’s previous number stops connecting, despite Downing Street refusing to confirm that he had changed his phone number. However, the cell phone numbers of several government ministers and MPs are still in the public domain – often with little or no concern about how this could endanger them.
After Johnson’s number attracted widespread attention, no edict went to cabinet ministers, let alone junior MPs, encouraging them to change their numbers.
Legislators have found that changing a phone number and smartphone may not do too much to deter potential hackers, while the effort required may cause more problems than it’s worth.
Security experts agree that a one-time change is unlikely to make much of a difference.
To deter hackers from either overseas governments or those trying to make money quickly, Johnson and other senior UK ministers should use single-use phones called burners with few functions and change them frequently, including the numbers, according to Daniel Maki , Intelligence Lead and Digital Risk Officer at the Institute for Strategic Dialogue, a think tank in London.
“Start using burner phones,” he said. “Have a couple of them on the go.”
Such a culture shift would result in years of low-security communication culture being undone, based on POLITICO’s discussions with outside security experts and several UK politicians.
It is still customary for local UK councilors to post their cell phone numbers on the internet for the public to contact and these councilors often take on higher positions in national government. Other politicians regularly publish their numbers in press releases, as Johnson did, or in a brochure that can be published online for years after it was first published.
Among the legislators who have spoken to POLITICO, the battle to protect their communications is already lost. A UK minister, who spoke on condition of anonymity, said colleagues were wondering what the point would be in making changes to prevent malicious access to their devices, given that China’s security agencies most likely already had access.
A former senior UK security officer also said that while a cell phone number would make it easier to hack a device, without access to the number it would be straightforward enough that the assumption that all devices have been compromised is probably justified.
Maki, the security specialist, said a number that has been publicly available for 15 years – even if it had been replaced – would continue to pose a risk to Johnson. Repeated calls to Johnson’s previous number said it was turned off.
The number had most likely received phishing texts containing dangerous links similar to those compromising the email account of US Democratic Party official John Podesta. This leak allowed groups backed by Russia to gain access to sensitive documents leaked during the 2016 presidential election, according to the country’s national intelligence services.
“Someone sends him a text message, he clicks the link in the text and thinks it’s legitimate and booming. Key to the lock,” said Maki.
Once infiltrated, hackers may have created backdoors into other accounts such as email and digital membership that are used on the phone, making them vulnerable beyond the phone. The process is known as “creating resistance” and is equivalent to breaking into a house while opening all the other doors at the same time. The house, in this case, is Johnson’s digital identity.
There is no evidence that Johnson’s phone was accessed in this way.
Another technique to infiltrate politicians’ phones would be to “forge” his number to get two-factor authentication codes intended for Johnson, which means that other accounts he had used would be easier to use would be chop. Two-factor authentication is a security system that requires entering a digital code sent via SMS to access an online account.
Since Johnson had his old number since at least 2006, it will almost certainly be linked to numerous other accounts, according to security experts. A search of the so-called “Deep Web” carried out by POLITICO found e-mail addresses from his time with Spectator, the British magazine which led London as major of the city, and for his tenure in the country’s foreign office.
If someone had figured out how these organizations could be compromised beforehand, Johnson’s email addresses would have become another target for hackers to find compromising information about the UK Prime Minister.
“With a phone number and email addresses, even old ones, you have the tools to try and find other ways to access more sensitive information or set up surveillance,” Maki said.
A government may also have been able to determine his number after visiting a foreign country and connecting to a domestic telecommunications or internet network, possibly creating digital backdoors to his accounts for future access. Some smartphone apps, including WhatsApp internet messaging service, may send its new number to people with whom it has been in contact in the past, increasing the risk of new phishing attacks based on a review of online activity by POLITICO.
Security experts suggested the best thing to do is to assume that any device is compromised – and act accordingly. This theory has one gaping flaw, however: politicians ignore this advice.
This is where a number of burner phones for Johnson came into play.
“It’s a pain,” said Maki. “But you’re the prime minister so it’s worth it.”
This article is part of POLITICOPremium Tech Insurance Cover: Pro Technology. With our expert journalism and a range of policy intelligence tools, you can seamlessly find, track and understand developments and stakeholders that influence EU technology policy and make decisions that affect your industry. E-mail [email protected] with the code ‘TECH’ for a free trial.