Phone
The fact that text messages appear on mobile phones without any interaction from the user, and sometimes with limited interference from the cellular network operators, can give criminals an opening to break into those devices, as three teams of researchers showed Thursday at the Black Hat security conference here.
Their targets ran the gamut.
Apple Inc.s iPhones and phones running Microsoft Corp.s Windows Mobile and Google Inc.s Android operating systems were all shown to be vulnerable. In some cases, the problems werent with software, but the way cellular networks process messages.
The findings are troubling as people increasingly use their phones for handling sensitive data, like e-mail and online banking.
Phones are morphing into mini-computers, which means theyre going to start getting attacked like PCs.
In some respects, phones are relatively safer. Cellular carriers control their networks more tightly than anyone controls the Internet, so theyre in a better position to stop new types of attacks that crop up.
Telling the difference between harmful and legitimate traffic can be tricky, though. And anonymity still is possible given the proliferation of prepaid plans that dont require long-term contracts; a carrier can trace an attack to a particular phone but not necessarily to a particular person.
The techniques demonstrated Thursday show that even disciplined and safety-conscious users could have their phones hacked because they cant totally control whats coming into them.
Innocent people could have their smart phones knocked offline, commanded to visit sites hosting pornography or viruses, or even turned into remote-controlled subordinates of a criminal gang behind an attack.
Take this example about the iPhone, from Charlie Miller, a well-known hacker of Apple Inc. and other products, and his co-presenter Collin Mulliner, a Ph.D. student in telecommunications security at the Technical University of Berlin.
They showed how they can disconnect an iPhone from the cellular network by sending it a single, maliciously crafted text message – a message the victim never sees. The messages exploit bugs in the way iPhones handle certain messages and are used to crash parts of the software.
They even said its possible to remotely control an iPhone by sending 500 messages to a single victims phone. Those messages contain the necessary commands for the attack and would get executed automatically by exploiting a weakness in the way the iPhones memory responds to that volume of traffic.
“Its such a powerful attack vector,” Miller said. “All I need to know is your phone number. As long as their phones on, I can send this and their phones going to do something with this. … Its always on, its always there, the user doesnt have to do anything – its the perfect attack vector.”
Miller and Mulliner also found problems in phones running Android (that problem has been fixed) and Windows Mobile (they say that problem hasnt been fixed yet).
Apple said it couldnt immediately comment. Microsoft said it is investigating the matter. Google confirmed that its vulnerability was fixed.
Sometimes the culprit isnt a software flaw but the way the phones were configured at the factory to handle messaging traffic. Hackers can break in if the phones are too permissive in what types of traffic they accept.
John Hering and Kevin Mahaffey, co-founders of Flexilis Inc., and Anthony Lineberry, a senior software engineer with the Los Angeles-based mobile security firm, made browser screens pop up and direct victims to any page of their choosing by sending specially crafted messages to phones made by Taiwan-based HTC Corp. and sold under major carriers brand names.