THEOS Cybernova
THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.
Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.
Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.
THEOS Cybernova
Bill Marczak: Mobile Phone Espionage, Zero-Click Attacks, and Invisible Threats
f your phone were compromised, would you even know?
Most cybersecurity defenses are built to stop loud, disruptive attacks like ransomware. But the most serious threats to mobile devices often look very different. They are expensive, targeted, and designed for espionage rather than disruption.
In this episode of THEOS Cybernova, host Paul Jackson speaks with Bill Marczak, a senior cybersecurity researcher at the University of Toronto’s Citizen Lab, about the realities of mobile phone espionage. They explore why smartphones have become a platform of choice for spying, how attacks can remain invisible to the user, and what makes mobile threats fundamentally different from traditional cybercrime.
Production Credits:
Presented by: Paul Jackson
Studio Engineer & Editor: Manny Peñamora
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio
This week on the Theo Cybernova podcast.
SPEAKER_01:Because a lot of the defensive efforts are designed to defend against these very visible, very disruptive attacks like ransomware. Whereas the attacks that are typically directed against our mobile devices, it turns out complex, very expensive to hack into our devices. So what this means is that these attacks are often espionage, conducted by very well-resourced attackers like governments. These espionage attacks is designed to be invisible, totally transparent to the person who's being spied on. If you don't notice anything wrong with your phone, why would you remediate something that may or may not be there? Mobile phones are a platform of choice for espionage. Not only do they have really juicy, really intimate data about us, but these devices also have microphones. They also have cameras, and we may be carrying them into sensitive meetings, sensitive locations where there can potentially be very juicy data that gets captured. There's a lot of dangers associated with it. Often the espionage that's directed against a target, sometimes about their contact. Once you've identified the contacts, then bad things happen to those people.
SPEAKER_00:The Theos Cybernova Podcast, hosted by Paul Jackson.
SPEAKER_02:Welcome to another episode of the Theos Cybernova Podcast. Today I'm delighted to be joined by a very special guest, a very unusual guest. His name is Bill Marzak, and he works at the University of Toronto as a cybersecurity researcher. Listening to Bill at a couple of conferences, cybersecurity conferences recently, where he raised some very interesting angles on cybersecurity, and as you're about to hear, some very interesting perspectives. So, Bill, thank you so much for joining me today.
SPEAKER_01:Thank you for having me.
SPEAKER_02:Yeah, it's uh it's a real honor. I'm very much looking forward to this conversation. We were chatting just very briefly. This is totally unrehearsed, totally ad hoc and spontaneous. So let's see where it leads. And we'll kick off with the very interesting topic that you just presented on yesterday around mobile phone hacking and security and the importance of protecting privacy when using mobile devices. You know, there were big stories a few years ago, as you were mentioning with Macron and other leaders whose phones were um hacked, those stories around Pegasus. But what are the realities? Because this is a very much overlooked kind of aspect of cybersecurity where we hear about ransomware all the time, we hear about denial of service, but not so much about these devices that we all carry around with us and carry a wealth of information. So, what is it about these devices and what are the real concerns at the moment?
SPEAKER_01:Well, a lot of the efforts that the cybersecurity undertakes, a lot of the defensive efforts, are designed to defend against these very visible, very disruptive attacks like ransomware. If your company or your computer is hit with ransomware, it's something you very quickly realize because you get a pop-up on your screen that says, ah, well, your files are now encrypted. Here's where you pay the ransom. And there is a disruption to the business. It's very visible, very disruptive. Whereas the attacks that are typically directed against our mobile devices, because of the efforts that Apple and Google and mobile device manufacturers undertake to make these devices very secure, it turns out it's complex, very expensive to hack into our devices. So what this means is that these attacks are often espionage conducted by very well-resourced attackers like governments. So these espionage attacks, or really any sort of espionage, is designed to be invisible, totally transparent to the person who's being spied on. If you don't notice anything wrong with your phone, why would you invest a lot of effort in trying to remediate something that may or may not be there? Yeah.
SPEAKER_02:I find there's a lot of paranoia around this because sometimes if there is a breach in a client company of ours, we, you know, obviously theos do a lot of investigation. The executives go, Oh, are our phones hacked? Can you test them? Can you make sure that they're not being hacked? They knew information that they shouldn't have known, so maybe it's our phones. How realistic is that?
SPEAKER_01:Well, actually, it's quite a big concern, I would say. Mobile phones are a platform of choice for espionage. The reason is simple. We carry them around with us everywhere. Not only do they have really juicy, really intimate data about us on them, our photos, our passwords, maybe our journals. But these devices also have microphones. They also have cameras, and we may be carrying them into sensitive meetings, sensitive locations, where if Spyware can turn on that microphone, can turn on that camera, uh, there can potentially be very juicy data that gets captured in a way that might not happen if your computer gets hacked. So often I would say that the investment in developing these hacking tools, developing these espionage platforms, tends to center on mobile devices because that's where the juice is. That's where you want to go.
SPEAKER_02:So the big question before we get into some more details is Android or Apple, what should we be buying for?
SPEAKER_01:Well, it's a question that I get asked a lot, and it's it's rather hard to give definitive one size fits all recommendations. I would say that one of the problems that we encounter over and over with individuals using Android devices that we work with is the devices often aren't supported, meaning they're not getting security updates from the manufacturer for more than maybe a year or two in most cases. So what that means is there's a lot of out-of-date Android devices out there which might be vulnerable to vulnerabilities which are publicly known, publicly documented. Maybe someone has written up some proof of concept code online to exploit them. It means that the cost to hack these old, out-of-date phones is much, much lower, right? Whereas if you're receiving the latest updates, you're on the latest version, then in theory, there are no known bugs or bugs that are publicly known, at least, uh, which are present on the device, making them harder or more expensive. You have to hunt if you're an attacker for a so-called zero day, a bug that is not known to the cybersecurity community or really anyone, and then figure out how to weaponize that and exploit that to spy on your target. So that's a common problem we encounter out-of-date Android devices. The nice thing about iPhones in that regard is, well, there's only one manufacturer, Apple, and they control the updates and they make sure that the updates are pushed out in a reasonably efficient way. So I would say that's one point there for Apple. However, Android in some ways, you know, has other things to recommend it. It's it's more customizable. Maybe you can do, if you're a very technically advanced user, maybe you can do more sort of detection or remediation on your device yourself without having to circumvent the device's security.
SPEAKER_02:Yeah, that's right. What about my Harmony OS, though, on my Huawei phone?
SPEAKER_01:Well, it's interesting. You know, we've seen, of course, you know, the recent media reporting about President Xi going around saying, oh, you know, Huawei phones, they can't be hacked, right? It's sort of an interesting question, right? If if you're a company that's developing one of these hacking platforms, you want to focus on what is the most efficient investment I can make, right? How if I can invest X dollars in research and development, developing these attack capabilities, developing the spyway, developing the espionage platforms, how can I get the most bang for my buck? So what are the devices that most people are using, right? They're using maybe iOS, they're using Android. And within Android, obviously, you have different flavors of Android. You know, you have Samsung's flavor, you have the other manufacturers too. And then you might have completely different things like Harmony OS, where you know, how much do you really want to invest in that if if you are a company, like you can say to your customers, oh wow, we can we can spy on Harmony OS. And the customer's like, well, okay, well, how many Harmony OS phones are out there? Are the people that you know I want to spy on actually using that? So I think that is there is a little bit of, I guess, what we call security by obscurity. If you have an obscure platform that is not very popular, it's probably not going to have a whole lot of off-the-shelf attack tools ready to go for it.
SPEAKER_02:Right. Yeah, that's that's very interesting. Yeah, security by obscurity. I love that phrase. So you were at the University of Toronto, you um uh your group or uh whatever you call it, it's called Citizen Lab, right? Correct? That's right. And you mentioned that you focus a lot on the security and privacy of journalists. And I think obviously this is extremely important in protecting freedom of speech and the ability of journalists, investigative journalists in particular, to do their great work that they tend to do around the world. Um and do you find this a major challenge? Do you see that these journalists who are involved in sensitive investigations are indeed targets of with their mobile devices?
SPEAKER_01:Time and time again, yeah, in in many different country contexts all around the world, we've documented cases of journalists being hacked, from uh, you know, cases surrounding journalists and investigations in in Mexico, journalists in in other contexts in Africa, Asia, Europe. It's really sort of a global phenomenon. One of the problems, I think, one of the challenges with these sorts of hacking tools, right, is they're designed to be invisible, designed to be completely transparent. So, well, transparent in the sense that the target doesn't recognize anything. But they're critically, they're not transparent in the sense that they're very hard to audit. How do you understand who this tool is being used against? Now, maybe the intelligence agency who's operating the hacking, the espionage platform, knows who they're spying on, of course. But how do the people conducting oversight of the intelligence agency, maybe they don't even know that this tool has been procured? So how can they even investigate that, right? I think it's a big, a big challenge. And any sort of feeling on the part of people conducting espionage that, oh, we're we're invisible, we can't be detected, it can be a breeding ground for these sorts of abuses where not only are you going after in terms of espionage, not only are you going after the criminals, the terrorists, the serious problems, but you're also going after, well, maybe people who are investigating corruption, or maybe people who are saying bad things about the government or things like this. It can there can be this sort of mission creep and you get into these cases of abuse.
SPEAKER_02:Aaron Powell And of course, you know, these uh mobile phones are tracking devices essentially. So we're not just talking about theft of data. Okay. Uh yeah, I don't want to trivialize it, but you know, compared to life, when somebody can actually track you down and threaten you physically, or even worse, then I guess that's the real danger, isn't it?
SPEAKER_01:Aaron Powell There's a lot of dangers associated with it. Yeah, I would say that certainly physical tracking is one, but also often what we see is that the espionage that's directed against a target, that's not always about the target, right? It's sometimes about their contacts. Especially with journalists, you might imagine, well, the journalists are chatting with sources, confidential informants, whistleblowers. So maybe you would spy on a journalist, but you know, you know, you're not super interested in the journalists themselves. You're interested in their network. Who are they contacting, right? And then maybe once you've identified unmasked the contacts, then bad things happen to those people who might not have, you know, their phones might not have been hacked, but because the journalist's phone got hacked, uh, they are now in danger.
SPEAKER_02:Aaron Powell Yeah, their sources, yes, exactly. Um I mean, it is opening up a pretty uh terrifying world in many ways, and one that's hard to protect against. So that is the important bit. How does one well how let's step back a little bit? How do the at what typical uh methods do the attackers use to try and you know infiltrate to uh hack the phones?
SPEAKER_01:Aaron Powell Well, there's a variety of techniques that that attackers might use on the very quote unquote sophisticated end, attackers tend to like what are referred to as quote unquote zero-click exploits. Meaning, you know, I think we we all have some sort of vague idea that, oh, well, if I install something malicious on my phone, I might be at risk, right? Maybe the malicious app is going to steal my data, right? But what if you don't actually know that you've installed an app or taking it one step further, what if you you haven't actually done anything at all on the phone? The phone is just sitting on the table, and then one minute it's safe, the next minute it's hacked. So that's the idea of a zero-click exploit, right? The attackers are able to find a vulnerability, a weakness in some code, some software, some app that your phone is running in the background when you're not doing anything. So we all use chat apps on our phone: iMessage, WhatsApp, Telegram, WeChat. These apps are constantly running code in the background. And it's easy to sort of conceptualize or understand this. Your phone might be sitting on the table, and all of a sudden, ding, it lights up, and you know, there's a notification from WhatsApp saying, oh, you've received a new message. Maybe there's a little thumbnail of a photo that someone sent you on WhatsApp. So what's actually going on here is that the phone is processing very complex data in the background. There's a lot of action going on in in your phone when it's just sitting on the table. And if there's some bug, some weakness there that attackers can find, then instead of the attacker sending you an actual image, they send you something which takes advantage of a bug in the image parser, for example. And then they can use that maybe to install spyware or run other exploits that compromise the device. So that's kind of the really scary stuff that's that's quite hard in many cases to defend against. Now, device manufacturers like Apple and Google have started introducing these quote unquote lockdown mode or advanced protection mode features that are kind of opt-in optional features where if you feel that you are at heightened risk for these sorts of sophisticated zero-click attacks, you can turn lockdown mode on on your iPhone or advanced protection mode on if you have Android 16. And this will disable certain features of the operating system. So maybe less stuff will happen automatically, which is designed to kind of reduce the attack surface and reduce your vulnerability. So the zero-click attacks are the very scary stuff, but there's also more mundane things, socially engineering a user into installing a malicious app which then requests access to photos or location or contacts, right? And the app might appear innocuous, but uh the data is being gathered and synthesized and sent back to an attacker who's using it for malicious purposes.
SPEAKER_02:Do you think these malicious apps are in any way prevalent? You know, is this a common thing, or do you think this is just something that gets overhyped?
SPEAKER_01:Aaron Powell Well, it's an interesting question. I think there's a lot of stuff out there which you could view as sort of malicious at a low level. But in terms of really invasive espionage, I think it's it's relatively targeted and rare. But there are a lot of apps out there which are collecting behavioral data, collecting uh data from lots and lots of users, right? And maybe this data is not ever used to target most of the users, but it provides kind of a data trove which uh people might be able to, uh data brokers might uh purchase and sell, and then ultimately at the end of the day, intelligence agencies, governments, et cetera, might be able to query or look into this data for specific targets and pull on specific threads there. So an example might be an app that is submitting back data on locations somehow, right? And you know, the location of most people is probably not very interesting, but if you have a specific target in mind, then maybe you can query that bulk database of locations and find something interesting.
SPEAKER_02:Yeah, excellent, excellent. Let me step back a little bit, because I think you've given probably scared the hell out of our listeners, right, already. Uh but uh let how did you get into this? I mean, what's your what's your story? Because obviously this is an Asian-focused podcast, but you do indeed have an Asia history to yourself, don't you? What was your story? How did you get into this?
SPEAKER_01:Well, I grew up largely overseas. Um, so when I was very young, my parents moved us abroad to Hong Kong, and I lived there for about five and a half years. Fantastic. Starting in '96, then through the handover till about 2001. After Hong Kong, we moved to Bahrain in the Middle East. And it was that, you know, living in Bahrain, the experience of growing up there, which sort of interestingly led me to do this work when in 2011, of course, the Arab Spring started, the big protests across the Middle East, and I found myself as a PhD student in UC Berkeley in the United States working on something totally unrelated to cybersecurity, which was databases and cloud computing. However, people I was in touch with back in Bahrain started getting these weird, dodgy emails that had odd-looking attachments that they thought might be something bad. So they said, Hey Bill, you're a computer scientist. And I said, Well, I'm not exactly that type of computer scientist, but I'll take a look anyway. And it was sort of then that I started working in this area and things just kind of snowballed from there.
SPEAKER_02:Interesting, very interesting. So, what is the goal or the mission statement, if you like, of Citizen Lab?
SPEAKER_01:Well, Citizen Lab is obviously a research organization based at the University of Toronto. So we study broadly the intersection between technology and human rights. And we have kind of a mixed methods approach. We have people like me who are computer scientists on staff. We also have political scientists, people more immersed in like the legal and policy aspects of human rights and technology. And the sort of work that I do, which we call quote unquote targeted threats, is only one stream of research we have at the lab. We also study things like internet censorship, chat app censorship. We look at disinformation, things like this. But the sort of targeted threats work that I work on is I would say broadly defined as looking for and understanding and defending against targeted digital attacks against civil society. So journalists, dissidents, those those sorts of targets.
SPEAKER_02:And that and that's a very interesting field, because obviously whenever major elections come around, you know, the topic of online misinformation, propaganda, interference with elections comes into play. Are you seeing, I mean, I guess that's something that's high on your agenda, right? And I don't know how much you can talk about here on the podcast, but surely it must be a fascinating area for you to be studying and analyzing.
SPEAKER_01:It is a very interesting area. Yeah, there's always something new that's that's going on. There's always some new techniques that are being tried by influence operators to steer opinion. It's often difficult to understand to what extent it works, to what extent is it is it swaying opinion, to what extent is it promoting division, is promoting division the goal rather than promoting a specific opinion? It's it's often hard to say and hard to attribute. It's a very kind of murky, murky world. I much prefer looking into things like cyber espionage, where there's often a clearer answer. You can say, ah, it's likely this government with tools purchased from this vendor spying on these targets.
SPEAKER_02:Interesting. You certainly operate in a fascinating world. And you piqued my interest strongly at a conference earlier this year where you Spoke about the perception of cybercrime. So now we're guided by obviously a lot of what we read in Western media, which tends to focus on adversaries of the West for obvious reasons, right? And yet this is not the full story, is it? Your presentation was very interesting because you did flip the coin a little bit and present the other side. Do you want to explain a little bit more about that?
SPEAKER_01:Yeah. So if you look at what essentially what reports get published by the industry, by academia about uh cyber incidents or cyber attackers, there's often a focus on adversaries of quote unquote the West, I would say. So we see a lot of reports about activity conducted by China, by Iran, by Russia, these sorts of operators. There's less reporting on other actors. We know that a lot of different actors, a lot of different governments, for example, are conducting operations for not only hacking and spying and espionage, but also disinformation and other things too. And we don't see a lot of, we see a little bit, but we don't see a whole lot of this focused on activities, say, coming out of the United States or Europe or other Western countries. And to some extent it it makes sense, like who would be investigating this activity, right? Maybe companies in in Russia, companies in China, companies in Iran. But if you look at, for instance, the Chinese cybersecurity ecosystem and the reporting they publish, well, there's often not a whole lot that is public that you can sort of wrap your head around. You know, we see, we've seen recently some Chinese companies, Chinese entities publish uh details saying, oh, well, the the US has hacked us. Here are some IP addresses associated with the hacking that we've partially redacted. And if you're kind of an independent observer looking at this, it's really hard to understand, well, okay, are they right? Uh did they make a mistake? Uh what are they really talking about, right? Now, sometimes you do get a really interesting glimmer of what's going on. A pretty interesting report a couple years ago from, I believe it's called C Virk or C V E R C a Chinese organization that you know tracks these sorts of attacks. And they published actually some real indicators of a US-based attack, which was interesting. But that's sort of a rarity. You don't really have this very robust culture of publishing reports like you do perhaps in more so in the Western cybersecurity industry. So it's perhaps partially a cultural difference, maybe a difference with government control or linkage, the coupling between government and the cybersecurity industry, which might be tighter in the context in China, for instance, versus in the West.
SPEAKER_02:You're absolutely right. And the types of conference that we attend, we tend to only hear one side of the story, which is why your presentation was a little bit rare. Did you find anybody, you know, was a bit a little miffed at your uh presenting it in that way? Do you ever feel any pressure, you know, that should perhaps toe the line a little bit more?
SPEAKER_01:It's interesting. No one's ever really said that to me. No, I don't think anyone's been been super annoyed about it. I mean, I think one of the things that I kind of have going for me in that respect is the stuff that you know I tend to investigate, and the stuff indeed that the little glimmers that the Chinese and other adversaries tend to publish is often very old. So it's not as if this the stuff, you know, when I when I give one of these talks, I'm not saying, oh, and last week the uh you know the US government hacked X, Y, and Z, right? It's it's sort of more like, oh, well, 10 years ago, right, the stuff that Sieverc published or whatever, uh, this happened, and we can link it to this other thing, right? So there's part of that which factors into it. But also one of the reactions is sort of, well, you kind of look at, and again, this is not necessarily a cross-cutting, you know, representative statement necessarily, but in these operations that do get published on the little tidbits that you you see published out of China, it's clear that the tradecraft employed by the Western attackers, at least in these cases, is sort of subpar. Like the one of the reactions I get is like, oh wow, I can't believe they did that. Why do they do that? Or why do they do things that way? There's also the the sort of notion or the reaction, I think, that, oh, well, it's not like you're breaking a huge sweat trying to dig into this stuff, right? It's it's sort of out there to find.
SPEAKER_02:Yeah, it's it's it's a really difficult balance to strike because the company I I now work for, Theos, is we pride ourselves on being Asia focused, but it's it's a difficult game to play because we have to balance geopolitics. You know, we have US clients, we have clients in the region, of course, and it's cyber is such a hard topic to disconnect from politics or geopolitics. And it can sometimes be extremely challenging navigating those, especially when allegations are made about nation-state interference, which isn't always true. But you know, sometimes uh companies who get breached would rather point the finger at some sophisticated nation-state type attacker to make themselves look like, well, it's not my fault. How can we defend ourselves versus it being a kid in his basement who's the one who's actually really responsible? But yeah, no, joking aside, uh, navigating these things is very difficult. I'm sure it's no different from you, right? Aaron Ross Powell, Jr.
SPEAKER_01:Yeah, I mean uh the uh certainly, as you say, the uh cyber uh security uh space is deeply intertwined in a sense with with geopolitics. So that sort of makes it interesting, I think, to investigate for people who are you know kind of interested in international relations and and things like that. But it also does introduce certain challenges, right? You know, this sort of reporting that we do can sometimes be seen. You know, the reporting that Citizen Lab does can sometimes be seen by governments or others, I think, in a very national security mindset rather than the sort of way that I think we intend the reports to be seen, which is ah, we're highlighting cases of abuse, right? So it's not that we're quote unquote going after any government, right? We're just kind of highlighting, ah, this is happening, this is an abuse of this espionage platform, this hacking, and this is a problem.
SPEAKER_02:Yeah, and I think, you know, both of us obviously clearly have the best interests of our clients, albeit very different kinds of clients, I guess, but at heart, you know, in other words, we're trying to help them and protect them rather than thinking politically. You know, let's face it, cyber problems, cybersecurity issues are the same all over the world. The threats are the same, and it's just a matter of who is getting attacked and by whom and how to help them protect themselves. So I'd like to, you know, before closing up, because we keep these uh conversations within around 30 minutes, I want to switch back to the mobile phones a little bit because folks listening are probably going, well, should I be going back to my old Nokia or my burner phones and everything? But the reality is there is we've got to be give sensible advice to folks on how to you know best protect themselves. And what would what would your sort of key takeaways, what would your advice be to those who may have concerns and may want to better protect themselves?
SPEAKER_01:Yeah, it's a good question. I I would I would say that there's sort of multiple levels to this, right? At the at a very basic level, uh what we often refer to as digital hygiene. So things like ensuring that you're you're not using a quote unquote end-of-life Android phone. Like your phone is still receiving updates, it's still getting the security updates, you're installing them in a timely fashion. Uh so that's sort of a basic piece of advice, right? Ensure that you're up to date. If you want to take things further, if you feel that you might be at elevated risk, so not just sort of an average person, you know, not doing much that might attract the ire or interest of spies. If you feel that you're kind of above average risk, maybe you want to take additional precautions. So I mentioned earlier there's lockdown mode for iPhone or advanced protection for Android if you're using Android 16 or above. So these are optional features. You have to actually turn them on in the security settings of the phone, but they will disable certain features. So you might notice a few differences. You can try them out. If they work for you, keep them on. If they don't work for you, you can always turn them off later. It's not, you're not uh committing yourself to anything by turning it on necessarily. But if it does work for you and you do feel like you face elevated risk, then use it, because we have seen that it does block a lot of these sophisticated attacks. And I think also, yes, we talk a lot about these very, very sophisticated attacks, but they're not all that, right? There are some types of attacks, some things that users might notice. As you sort of alluded to earlier, information that was discussed in confidence becoming public, and you don't understand how that happened, right? Things like that, maybe even things you notice on your phone, like, ooh, I got a really weird message that has like political content and it's got like a strange-looking link in it. Maybe that is worth investigating further. And in that case, there are resources if you're a member of civil society that you can avail yourself of to help investigate these sorts of cases. So, for instance, we collaborate often with an organization called Access Now, who has a digital helpline. And if you're a member of civil society, you can contact this helpline. You can just Google or search for AccessNow Digital Helpline. And they operate around the clock in uh dozens of different languages, and they'll help you with any sorts of digital security incidents you may face, whether it's strange politically themed messages with weird links, whether it's receiving a notification from Apple or Google that they periodically send out these notifications, hey, we've detected a sophisticated attack on your device. So that is a good resource, I think, for civil society specifically, but definitely, you know, the basic, a lot of this stuff starts with sort of the basic hygiene. Make sure your phone is receiving updates, make sure you're installing those updates. And uh, you know, if you're at heightened risk, turning on the lockdown mode, turning on the advanced protection.
SPEAKER_02:Right. So I'll just repeat that one more time. That's access now, digital helpline, yeah, for those who want to get to or maybe concerned. But I think there's also one important point to raise, because in our region, a lot of people buy these cheap Android phones online. And we've obviously heard about and seen it's been pretty widely publicized. Uh the Lemon Group, I think, were one of the groups that were attributed to have infiltrated the supply chain for these cheap phones and embedded spyware, malware already on these phones before they even hit the market. And you know, we're seeing we see in our region on Lazar and other sort of sites where you can buy these cheap phones. And I think that's fraught with risk, right?
SPEAKER_01:Certainly. I mean, you get what you pay for at some level, right? If you're saving money on the purchase price, it might be because there's some tracking or additional things built into the device that you know the manufacturer can monetize or sell. So that I think is something to be wary of. I mean, obviously, not everyone can afford the super duper, you know, top-of-the-line iPhone, for instance, but making sure that the phone is, I guess, you know, from a reputable manufacturer, let's say, and you can check, the manufacturers will often say, Oh, we will provide security updates for X years after the phone is released or after the purchase of the phone. Um, so making sure that you're comfortable with that lifetime of the device.
SPEAKER_02:Yeah, and I think this uh also corporates should be aware of this because most companies nowadays they don't provide phones for their employees. In the past, you know, we saw that they would actually provide phones. Um, nowadays with sandboxing technologies, et cetera, they tend to allow your personal devices to be used. But if your personal devices are are weak and they have uh flaws in them, then of course that brings vulnerabilities into a corporate environment as well. So it's something that needs to be looked at and make sure that in the corporate world you only allow established phone brands, you know, your Samsung's Sonny's or whatever of this world, Apple, you know, to be permitted.
SPEAKER_01:It can it can definitely be tricky, especially with you know work, work from home, uh work-life balance, things like this. Work might bleed over onto personal devices, even if the company does provide work devices. And attackers view the target holistically, right? They don't think, oh, gosh, we gotta target the work phone, like we can't go after the personal phone. No, of course not. They're gonna target the personal phone, the personal computer. It's all part of the same individual, the same person.
SPEAKER_02:Right, yeah. So a lot to think about, really. And you look, as we wind up this conversation, you know, and and Bill Mars, I I can't thank you enough for taking the time out to join me today. It's a really important topic. But uh I always close out these podcasts because I'm a music lover. Right? And uh it's my way of unwinding. I I do enjoy my vinyl collection. I'm an old guy, you know, so I like the old-style music. But I was I'm always intrigued, you know, by what my guests currently have on their playlists. So what what what what are you listening to currently, Bill?
SPEAKER_01:Well, I will say I have a two-year-old son. So he is very into a couple specific songs. I'm not quite sure why. Uh one of them is American Pie by Don McLean. So we've been playing that a lot. And he really likes songs about trains and railroads. So he's also a big fan of the uh Amazon Alexa device that uh so we don't have one at home, but we were we were visiting some friends who had one, and he would just kind of go up to the Alexa and say, Alexa, play a song about a choo-choo train or play a railroad song. So I've been listening to a lot of all the board the choo-choo train and things like that.
SPEAKER_02:Oh, fantastic. Yeah, it was funny. I had a guest a couple of weeks ago that had the similar thing, talking about the wheels on the bus. But you know, look, Bill, fantastic to have you on this episode and some great information and great advice for our audience. And please remember to hit that like and subscribe button. It helps us to get these important messages out to a wider audience. Bill, thank you so much for joining me here today and enjoy the rest of your time at this conference. Thanks for having. Theos Cybernova was presented by myself, Paul Jackson. The studio engineer and editor was Manny Penny Mora. The executive producer was myself and Ian Carlos. And this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.