When he woke up, the OS and radio stack version had been changed, says Glenn Schoonover, senior director of security solutions at KoolSpan and former chief of network security at the Pentagon. "The operating systems was updated over the air without the consent of the phone owner," he says.
The customer suspects it was done by the Chinese government, which controls the telecommunications service in China, Schoonover says. "With the right software they could turn on the microphone without alerting him, thus enabling them to listen to any of his conversations, not just phone calls," Schoonover says -- or even remotely control his device to monitor emails, read stored files, and so on.
Even devices with a reputation for having strong security, such as Research in Motion's BlackBerry, need to be carefully guarded. For example, the last time security technology company Cylance had an executive travel overseas, he wiped his BlackBerry and used the cleaned smartphone for phone calls only, says Stuart McClure, Cylance's CEO.
When the executive returned home, the BlackBerry did not properly boot up, so the company had to do a full firmware refresh, McClure says. "We are still working on the forensics image to determine root cause, but it is clear that something happened to the firmware image, which can only be done with an invisible update from RIM -- which is not likely -- or an attack," he says.
4. Apply encryption generously. If your laptop or mobile device has personally identifiable information or external access to personal and corporate systems, it's imperative that the devices be totally encrypted, says Prescient Solutions' Irvine.
Vendors such as Microsoft, Check Point, and Symantec have products to totally encrypt data on hard drives and portable storage devices, Irvine says. Apple includes such full-disk encryption in its OS X, though you may want to use a defense-grade product instead.
On mobile devices, Apple's iOS is encrypted by default, and that encryption can't be turned off. But it's not defense-grade encryption, so state-sponsored cyber thieves can get around it. That's also true of Android's encryption, which must be enabled by the user. The new Windows Phone 8 also includes device encryption, which is on by default as in iOS. All three mobile OSes use SSL encryption for data sent over the Internet; Apple provides S/MIME encryption for email as well.