Co-author of Hacking Exposed, George Kurtz. Photo: Fairfax and Bloomberg
The security threat to mobile devices is now real and there is a wave of new exploits allowing hackers to eavesdrop on smartphones – even when you’re not connected to a phone call, writes Lia Timson.
Phone crashing regularly? Strange SMS bothering you for an update or a juicy link? It’s time to wise up to mobile malware.
Security experts have shown that iPhones and Android phones are vulnerable to the same type of “drive-by” attacks that have long plagued PC users.
A team of researchers infected a Google Android smartphone overnight, live, in front of a packed audience of computer security buffs to prove how mobile malware is now on the cusp of the big time, after so many years of unfulfilled predictions.
George Kurtz, co-author of Hacking Exposed, former McAfee security champion and now at the helm of Crowd Strike alongside Dmitri Alperovitch, demonstrated how the team designed a smartphone remote access tool (RAT) and eavesdrop operation, then set about purchasing the necessary items to make it happen, later coding and executing the attack on their demo phone.
“We believe we are here today and on the cusp of what we’re going to see in the future. If you think of what a smartphone has the capability to do, it’s the ultimate spying tool. Always powered on, always connected, travels around with us at all times,” Kurtz began.
“If you haven’t figured out privacy is dead, this is going to do it for you.”
The scenario was a competitor wanting to intercept calls and text messages on Kurtz’s phone and the attack Webkit-based. Webkit is a tool used by Apple, Google and RIM to render HTML websites in Safari, Chrome and Android, and the latest versions of the Blackberry, respectively.
The team purchased 20 Webkit vulnerabilities – or bugs – in the underground for $US1400, spent approximately $US14,000 developing the malware code (“weaponisation phase”) and engineering root access, as well as building their own command and control centre to be able to harvest the fruits of their exploits.
The attack followed several steps: the first being a text message delivered to the smartphone appearing to come from the mobile carrier requesting a system update via a link. Once clicked, the drive-by link delivered the first part of the malware to the phone to elevate access (root) privilege, then cause it to crash.
It then automatically rebooted, executing the second part of the malware and hijacking the phone’s communications.
When Kurtz made a call to Alperovitch, the audience could hear the live conversation – as well as what was said before the call connected. On the command and control centre’s screen, a map positioned Kurtz and Alperovitch’s locations, the start of transmission, and the text of a subsequent text message Alperovitch sent Kurtz.
They said the attack did not require a phone be jailbroken and would work on any of the devices using Webkit – although this particular code was customised for the Adroid 2.2 (Froyo) version.
Kurtz told Fairfax Media such an attack would be possible on the iPhone because of the root access obtained via the browser vulnerability.
“We would have to get code execution via the browser, then escalate our privilege to root and totally bypass the app store [as we did] with Android.
“This is the point we are making: drive-by attacks will hit the phone just like the PCs,” he said.
But he said he didn’t want the audience to develop a bout of paranoia. “The sky is not falling , these are very targeted attacks.”
Lia Timson attended RSA 2012 as a guest of RSA.