In our previous blogpost we talked about how your phone can get hacked via a local attack i.e. when the phone is in the attacker's hand. In this blogpost we will see how your phone can get hacked remotely, meaning the attacker accesses it from distance.
As we already mentioned, "hacking" a phone means to access the content of your phone. That includes seeing what’s happening on the level of your screen, your camera, listening to your microphone,... as well as having control of the phone as well. Taking control of the phone means keeping control and having a constant access to it.
To hack a phone remotely, you first need to understand what a numerical weapon is.
We have what we call exploits, which are bugs that can be converted into something that allows the attacker to launch an app. For example, let's consider there’s a system that has a bug, e.g. I know your phone will bug if I send you the message “1,2,3”. I'll add my program following this "1,2,3" message which will be launched once the phone bugs. You’ll receive the message, your phone will read the message “1,2,3” and will bug, and then will launch the program that I sent via this sms. Here's an example of this type of exploit.
Exploits can be local or remote. They always come from a bug. The bug allows you to send a command, and sometimes an entire program. In some cases the hacker can decide to keep a "persistant" access by installing a spy program on the device after having performed the attack. From here the attacker takes control of the phone.
There are two types of exploits:
1) Exploits that are known publicly. After the exploit is made known to the authors of the affected software, the security vulnerability is fixed and the exploit becomes unusable. So in order to protect yourself from publicly known exploits, you need to update your phone appropriately.
2) “Zero days”: which are exploits that aren’t made public, meaning people aren’t aware of these security vulnerabilities, except from the ones that found them. A zero day is a security flaw that has not yet been patched (i.e. "fixed") by the vendor and can be exploited and turned into a powerful weapon. So when you have a zero day, you can basically hack all the range of devices which this bug allows you to exploit. Why aren't these bugs published directly? Because the entity who has found the exploit has a particular interest in not making it public in order to hack; whether it’s criminals, governments,… Indeed if they publish the exploit, they won’t be able to hack anymore. Zero days can be found on the black market.
Finding exploits is a job, there are competitions for this. They can be sold at a very high price on the market, e.g. remote exploits for iPhone can be sold for millions. According to this article, "Apple now offers up to $1 million to security researchers who discover iOS vulnerabilities and report them, but these bugs are often way more valuable to sell on the black market".
The more global the exploit is, the more expensive you’ll be able to sell it.
Then, there are also backdoors: you can see a "backdoor" as a hidden door, something the attacker voluntarily implemented inside the app so that they can connect to it. It's essentially introducing a bug. For example, you modify iOS so that it bugs in a specific way. When you introduce a backdoor, it basically becomes your own zero day. If done well, it is very difficult for anyone to notice that there is one implemented.
It is extremely complicated to protect yourself from zero days, however you can protect yourself from public exploits, as they have been corrected by updates. But bear in mind that this still means you are vulnerable, in that you need to make sure your phone is updated appropriately. You cannot always count on your provider to ensure your security with updates. For example, take the Android market, where close to 90% of Android makers don’t provide updates, meaning a lot of phones become obsolete quickly, as they provide the updates for a duration of 6 months. Following this time, they can’t promise you security anymore (some fascinating sources on Android security: here, here, and here). If you want security you need to buy again. Most of Android devices' exploits are publicly available. That means I can go on a website, download the exploits and hack more than half of Androids!
If you want to make sure you get the updates it’d be recommended to either buy iPhone or Google (and the security you get from them is only for a set period of time until they don’t provide updates anymore). If you really want to optimise security with a smartphone, go for an iPhone and renew the phone every two years (iPhone is better than Android Google in terms of privacy). It won't protect you from zero days, but you'll still considerably increase your security.
What kind of attacks?
Non-targeted attacks: They have a global target and attack the ones who have security flaws and then use these to access a very large amount of devices. They either exploit a weakness in software or in an organization's defenses. Examples include the recent Android-WhatsApp scandal, where hackers exploited an Android vulnerability and injected spy softwares on to phones via the Whatsapp voice calling function, giving them full access to the devices remotely, allowing them to read messages, see contacts and activate the camera. The spy would be installed even if the call was not picked up!
Targeted attacks: These are attacks on a specific target, to achieve a specific objective. For example, it is the case of Pegasus, a spyware that can be installed on devices running certain versions of iOS. Pegasus exploited some iOS security vulnerabilities in order to take control of the devices of a specific group of activists. The software can basically do anything that users can do, including read text messages, turn on the camera and microphone, add and remove files, and manipulate data. If interested, here's an article on it.
Targeted attacks require intelligent planning, which also means effort, time and money, in which case the attacker has determined that the “reward” is worth the effort. It can involve months of observation in order to collect maximum info and then design the attack.
Some of these attacks can even be physical, e.g. by using voltmeter lasers (devices that measure the voltage in cables) that give the measurement from distance and recover passwords from the keyboard’s cable. I can do it from the opposite building of your flat. By measuring the voltage in your cable, the voltmeter will determine which button was pressed. I can also film what happens on your keyboard from the opposite building, in which case I just need to find a good angle.
I could also attack the local network. I can hack your Wifi when I'm nearby, or your router from distance. Routers are not updated; 83% of them are vulnerable, and once I take control of the router this allows me to access your devices from your local network. Here's an interesting paper on the security of routers.
There are a lot of ways to hack a smartphone - it depends on which numerical weapon you have. Each weapon has particular characteristics. Some will allow you to hack from far away, others will allow you to hack from very close. Hacking is about being ingenious enough to combine the different tools at your disposal in order to create an effective attack.
You can protect yourself from non-targeted attacks by updating your devices when fixes are available. However protecting yourself from a targeted attack is more complicated. If the attacker is high level, depending on how extreme his actions are, truth is he will eventually get access to the device. Nevertheless you can still take appropriate measure to increase your security, as we have also seen in our previous blogpost.
The introduction of the smartphone to the world has been an incredible gift for hackers. The gathering of info on this device, the fact that it’s always with you, and the simplicity of hacking it makes it a goldmine.