Hostile Takeover of Your Phone

It used to be that computer viruses pretty much stayed in the realm of computers. Phones weren’t in that worrisome category yet.  Well time to start worrying a bit.  A recent demonstration at the RSA security conference showed how clicking/tapping a bad web link on your smartphone could give the hacker complete control of your phone.

Uh oh.

According to the article, How a Web Link Can Take Control of Your Phone, by Tom Simonite from Technology Review all it takes is a simple web link to take control over somebody’s cell phone. Simonite described how George Kurtz and colleagues from security company, CrowdStrike, were able to view all calls, texts, activate the microphone to listen, steal data, and the location of the cellphone. 

Kurtz and colleagues played out a scenario on stage that involved hacking a real, unmodified Android phone. Kurtz, playing the role of a busy investor at an industry event, received a text message claiming to be from his mobile carrier asking him to download an update to his phone’s software. When he clicked the link in that message, the phone’s browser crashed and the device rebooted. Once restarted, the device appeared unchanged, but a silent, malicious app had been installed that relayed all his phone calls and text messages to the attacker, who could also track his location on a map.

Basically it is kind of like what Reese and Finch do each episode in the TV show, Person of Interest. Now instead of pointing at the device to gain access the hackers send an email or text message.

While the attack happened using a phone using Google Android OS 2.2 version, it can happen to Android OS 2.3 and other devices, iPhone, iPad, BlackBerry, etc.  According Simonite, “WebKit, the browser component that was exploited, is also at the core of the Web browsers found in Apple’s iPhone and iPad devices, BlackBerry phones, and Google’s TV devices.”

Now this type of hack isn’t cheap but it isn’t outrageously cost prohibitive either, and it only took them a few weeks to do.  The article states they spent $1400 on the black market for information on the 14 known unpatched bugs in WebKit which allowed them to gain full “root” access to the phone and use it install a remote access tool.

This type of hack while a virus isn’t at the viral stage yet.  It still is at the level of attacking a specific individual’s phone not whole bunch of phones.  According to a CNET news article, “An attacker would have to know in advance what operating system the device was running and tailor the message, either SMS or e-mail, to that person to trick them into opening it up and acting on it. This could be particularly dangerous for high-profile targets, such as government officials and CEOs who have a lot to lose if their phone calls and data on their devices were compromised.”

While the average person probably isn’t going to be a victim of this, it is a good reminder that our cell phones are mini computers now and can be vulnerable.