iPhones Leaks MNPI and other Sensitive Data even when turned off
In the financial risk and compliance community it’s a well-known fact that banks manage the threats associated with smart mobile devices largely with paper-based policy-led approaches. Some firms might even go as far as offer some form of related awareness training.
Typically, the policy either limits the use of personal mobile devices or bans the phones altogether. The common policy limitation is to allow the traders and other staff to take only emergency calls by walking off the regulated trading floor.
Leaving aside these archaic rules that do not embrace the new technology, let’s focus on what it means when we switch off our iPhones. Does is technically give any protection against the abuse of the material non-public information (MNPI) and manipulation of sensitive market information?
Starting from iPhone 11, all Apple mobiles include standalone wireless features such as Bluetooth, Near Field communication (NFC), and Ultra-Wideband (UWB) technologies. In human terms, the NFC chip in our phones is used for payments and UWB chip for locating the iPhone and other items with AirTags.
All three features have access to the phones’ Secure Element, which stores our sensitive information – even when the phones are powered down. The threat is that all these features, Bluetooth, NFC, and UWB, can be compromised with malware giving hackers and other bad actors access to secure information within the phone. This was confirmed by a group of researchers at the German University of Darmstadt earlier in 2022.
Factor in what the amazingly powerful technology in our iPhones and smart wearables is capable of. All our smart devices have one common denominator – you can receive and send information without drawing attention to yourself. In other words, our every single smart device is interactive because each device has a microphone and a camera and is almost always online.
From regulatory compliance perspective this means that bad actors can use the iPhone’s weakness, give access to the sensitive MNPI, and directly benefit from such manipulation. Banks would be none of the wiser, as they have no technically assisted visibility over any personal mobile devices on their trading floors. The bad actor, however, can prove that his phone was switched off. Case closed.
We at Mobilewatch maintain that personal mobile phones and all smart connected devices remain a real and present danger to the integrity of our financial markets on trading floors. The threat is extremely technical and requires a working knowledge on radio communications. For precisely this reason, policy-based control measures will not solve the problem. The software platforms to manage work devices too, do not cover this threat.
The good news is that most vulnerabilities associated with personal mobiles in regulated trading floors and other sensitive areas can be controlled and managed. Appropriate technology, both hardware and software, exist to get the phones in regulated areas under control.
Smart devices are ubiquitous and are integral part of our lives. This means the phones need to be dealt with and not ignored. Add to the mix the divided world with more and more aggressive cyber security attacks, the current regulatory compliance vis-à-vis personal mobile devices remains a paper-based exercise with the MNPI being manipulated right under our noses.
For the innovators amongst you who want to embrace technology, please contact me to discuss how Mobilewatch can help.
Published: 10 November 2022
Author: Raili Maripuu