Following on with our current series of articles exploring cell phone hacking this time we will look at how phones can be attacked. There are 4 main ways in which cell phones can be compromised:
- Spyware can be loaded onto a phone. This, in turn, can activate the phone as a bugging device with full remote control available to an eavesdropper. Advanced spyware has a number of features, including voice-activated microphones to save on battery life and the ability to auto forward SMS messages and the contact list on a phone.
- GSM encryption can be hacked. A number of attacks have been demonstrated and, in theory, given suitable resources, mobile phone encryption could be compromised. This is a passive attack and is undetectable as the signals are received using a specialised radio, which is both portable and easy to hide.
- Cell phone "capture". This attack exploits a couple of design weaknesses found within GSM cell phones. The first is that, whilst a cell phone needs to authenticate itself to a network, the network itself is not authenticated by the cell phone. Couple this with the design requirement for cell phones to connect to the most local base station, based on signal strength, a fake base station can be set up and all local call traffic captured. As mobile phone calls are only encrypted from the phone to the base station a fake base station will be able to process calls "in the clear". This is called an active attack and, whilst it may appear complicated, a number of commercial products are available to authorised agencies and government departments. In early 2010, active attacks were demonstrated using hardware and software that can be purchased for around $1000, less than 1 of commercially available solutions. The widespread availability of home base stations, such as Vodafone SureSignal, has provided a source of equipment that could be adapted for this type of intercept. In reality this attack does have limitations. As the cell phone is using a fake base station it is not registered with the cell phone network, so any incoming calls will be diverted to voice mail or receive a "cell phone unavailable" message. More sophisticated versions of this attack provide two connections—one to the compromised phone and one to the network base station. Using this man-in-the-middle approach the cell phone is able to connect to the authentic network, albeit via a fake base station that will intercept the traffic, so "normal" two-way calls can be initiated whilst the call and data flow is being monitored. 3G phones utilise mutual authentication between the phone and the network so aspects of these attacks will no longer be valid when networks are exclusively 3G and above. Until then the sharing of GSM and 3G systems in support of broader network coverage can still see 3G phones subject to compromise using this approach.
- Inside threat. Threats to information security systems often emanate from inside an organisation. These can take the form of knowledgeable insiders being bribed or bullied into supplying relevant cell phone data and can even be an employee planted by a security agency. In June 2010, a technician who worked in a Lebanese mobile phone operator was arrested for being an Israeli spy and giving access to phone calls for 14 years. Because of the man's role on the technical side of the cell phone network's operations, it was assumed that the entire national network had been compromised.
The good news is that there are some steps you can take to help protect your phone:
- Most obviously keep your phone with you at all times, and don't be fooled into allowing someone else to use it. It can take a matter of seconds for a hacker to compromise your phone by switching out a SIM card or downloading an application. Consider using a PIN to prevent unauthorised access, but make sure you change it from the default setting and guard it as you would a banking PIN.
- Be aware of your environment when using a mobile phone. Despite all the hi-tech ways in which a phone can be compromised, simply eavesdropping into a conversation remains the most common way of obtaining information. Consider techniques such as hiding your lips to prevent lip reading if you are particularly concerned.
- 3G networks may provide a better level of security than 2G if they implement A5/3 encryption, but be aware that a 3G network may degrade calls to 2G in areas without you realising. Some targeted attacks will deliberately downgrade a 3G cell phone connection to an easier-to-attack 2G connection without the user realising it. Consider the country that you are calling from and remember that there may be different attitudes to privacy and confidentiality than in your home country. It has been reported that some countries record all phone calls as a matter of policy, so this is especially important when you know that you are dealing with sensitive commercial, political or industrial intellectual property in these areas.
- Watch out for malware. This may take the form of applications, SMS messages, service messages or email attachments in smart phones. A seemingly innocent game or applet could easily be a piece of Trojan software, carrying a phone bugging application. An unguarded Bluetooth connection can also be a route into your phone, so switch it off if you are at all concerned. A number of vendors are starting to provide anti-malware for mobile and smart phones, which may help.
- If you are concerned that your phone has been compromised turn it off and remove the battery. It is possible to have your phone examined by a forensic expert but it may be cheaper and quicker to remove your SIM card and get a new phone. Remember to back up your phone contacts to another device so that you can quickly copy them to any new phone.
- Don't leave voicemail as these systems can be targeted by interceptors. If you do need to use voicemail ensure that your PIN is changed from the default, as voicemails can be accessed from any phone. Deleting messages after you have received them is good practice.
In the next article we will look at voice encryption technologies.