Whatever security measures an Android/iPhone user adopts, all a hacker needs to access personal information is simply your cell phone number.
HOW HACKERS COMPROMISE CELL PHONES
In 2016, hackers operating in Germany remotely accessed an off the shelf iPhone being used by U.S. Congressman Ted Lieu (D – Calif.). The hackers demonstrated their ability to listen to his private conversations by remotely activating the phone's microphone. He also had his GPS turned off, but the hackers were able to compromise the device by tracking his location and monitoring his communication traffic.
Another phone vulnerability is demonstrated by the police when they use IMSI catchers, or cell-site simulators. These devices mask as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than the tower and allows the ability to take over a suspect’s cell phone. This, in turn, exposes a gold mine of passwords, e-mails, text messages, and contacts, as well as access to mics, cameras and even screen capture. This is a serious problem that should not be underestimated.
The police use cell phone surveillance like IMSI catchers because they are incredibly effective at revealing information about the device and user, but they are not the only ones who have access to them. These kinds of devices can operate in a passive or active mode with a range of capabilities from just listening in, to directly manipulating the target’s phone, to installing R.A.T.s for later use. Remote Access Tools or R.A.T’s, commercially known as “cell phone spyware,” can be installed remotely and allows the attacker all access. This includes access to passwords, emails, text messages, GPS location, location history, and data storage. All of which can be read and modified by the attacker.
Attackers can also access the phone’s microphone, camera, log keystrokes, and screen captures which can circumvent secure communication apps.
More frequently, opportunistic hackers are taking up positions in or near coffee shops, hotels, and other public places. They prey on the unaware by simply using a laptop and a cheap antenna. They can attack your phone through the open Wi-Fi you forgot to turn off or trick you into connecting into a spoofed Wi-Fi network.
These are just a few examples of powerful attacks out of dozens that can grant an attacker access to your phone, regardless of the operating system or manufacturer.
MAKING SENSE OF THE SITUATION
Attacks targeting hardware, firmware, communications protocols and the trust relationship between the cell phone and the network are incredibly powerful. That is because they can bypass efforts at device security. Such attacks are often used in industrial espionage and are a risk to national security. These activities are sophisticated in implementation and threat actors will employ any combination of attacks in order to achieve their mission.
This all probably sounds confusing.
The marketing surrounding modern technology conveys the impression that wolves don’t exist, and these devices are impossible to compromise. It’s an effective message that has led most people to purchase more and more devices that only expand their electronic footprint.
HOWEVER, WOLVES DO EXIST.
Some people call these wolves “hackers” and usually refer to the hat they wear— “white hat” (good guys) and “black hat" (bad guys). These technologically talented people are on the front lines of the battle over information security. While some of these people are rogue actors, they comprise a talent pool of individuals whose services are in high demand. They are employed by governments, corporations, and criminal organizations alike. This is done in order to defend against and sometimes compromise devices and systems in use by the opposition.
Yet, even knowing this, we continue to put our trust and our data in demonstrably untrustworthy devices that we have little to no control over. We log onto unsecured Wi-Fi networks and publish our cell phone numbers online and on business cards. We continue to send sensitive messages through our cell phones. We continue to bring our cell phones into meetings without any way to prevent remote surveillance. We keep searching for more reasons to adopt more and more technology, which only increases our overall attack surface.
That’s the bad news.
YOU ARE PART OF THE SOLUTION
1) Don’t default to wireless (keep access wireless turned off). Connecting to an open Wi-Fi network like a free wireless hotspot exposes your mobile device to security risks. Devices have settings that allow these connections to automatically connect, even if the user does not initiate it. Double check and make sure it is turned off.
2) Keep your Bluetooth and GPS turned off. Enable only when needed.
3) Enable encryption. Encrypting mobile data should be at the top of your priority list as it can prevent sensitive data and information from being compromised in the event it is lost or stolen. Encryption works by scrambling the data stored so unauthorized users cannot access it or read it, and hackers cannot transmit between devices. Most iOS devices use standard encryption and Android devices have a feature, but it makes sure it is enabled.
4) Set protections and develop policies that isolate business data, and applications from personal data.
5) Make sure the solutions your pick protects devices from infected apps, OS exploits, malicious links, and other risks.
6) Stop publishing your cell phone number on your business cards, stationery and on the web. Our phone numbers used to be “just our phone number.” However, in today’s world, that number is the network address to a very powerful computer in your pocket. Hackers can use that network address to not only call you but to remotely attack your phone. What I suggest is that you publish only the number to your desk phone and use the forwarding feature on your desk phone to forward all of your calls to your cell phone. You should also stop your phone from broadcasting your caller ID: To do this on an I-phone: Settings > phone > ‘show my caller id’ > turn this to off. To do this on an android: Settings > call settings > additional settings > caller ID > select ‘hide number’.
7)Lastly, ensure you are operating your dashboard that provides real-time visibility into vulnerabilities.
You can fight back through a combination of behavior changes and an improved understanding of your technology. First, you need to be honest with yourself; the cyber criminals are out there, and you trust your electronic devices far more than you should.
Hackers are counting on you to make every excuse in the book to do nothing meaningful to protect yourself.
The first step to securing your phone, is realizing there is a problem. The second step and most important is to develop a comprehensive knowledge of the where, why, who, and how your device can be left open to an attack.
The third step is to read more about additional solutions using applications by checking out WhiteHawk's next article this Friday.