How can your phone get hacked? And what can you do to protect yourself from an attack?
First, let's define the terms: what does "hacking" a phone mean? Put simply, it means to access the content of your phone i.e. the material and the info that’s inside. That includes seeing what’s happening on the level of your screen, your camera , listening to your microphone,...
An attack always comes down to the same thing: it is about accessing the content of the phone. And then, depending on the attacker's intent, to take control of the phone as well. Taking control of the phone means keeping control and having a constant access to the phone (meaning it's more than just reading the info).
1) How can I hack your phone?
2) What can I install on your phone to keep control of it?
3) What you can do to prevent your phone from being hacked...
How can I hack your phone?
Let's differentiate two types of "attacks": Local Attacks (I hack your phone with your phone in my hand) and Remote Attacks (I hack your phone from distance).
In this blogpost, we will talk about local attacks. In this other blogpost we focus on remote attacks.
Local attack : "If I can touch your device, it's mine".
A local attack on your phone means I access it via physical contact. I can either just connect to your phone, read what’s in there and then leave without touching anything inside. In that case, I just took the info and that’s it. I can also go for a more extreme attack, where I install a "spy" (an app) and take control of the device. That essentially means that at any given point after I hack the phone, I can always reconnect and see what you’re up to.
Practically speaking, how can I hack your phone via a local attack?
1) Breaking your pin code
2) Accessing your phone for 5 min
1) Breaking your 4-digit pin code
One of the first things I'll do to attack your phone is looking out for your 4-digit pin, since it's something that you'll always end up using, and therefore me seeing you in action is just a question of time. Even though it's becoming more challenging with fingerprint and face ID access, there will always be moments where you will use this pin or pattern (depending on whether you have an Iphone or Android), which are essentially the same: a simple combination of four numbers. Face ID or biometric access can fail for whatever reason in the moment, and you'd usually resort to your pincode or pattern. I just need to be patient. I can also provoke you into having to enter your pin by blocking your phone. All I have to do is "fail" to unlock it multiple times, until it gets blocked and it asks you for your pin. At this moment you will need to manually enter your password. And I shall be watching.
You might think it isn't this easy to get physical access to someone's phone. Well, isn't it, though? "Hey, can I use your phone to check something?" "May I use your phone to send a message to my girlfriend? My phone ran out of battery." "May I put another song on?". To which you may most probably reply "Sure, go for it!".
In one of our previous blogposts we mentioned how easy it is for a hacker to access someone else's phone physically (last paragraph). And all this is even considering everyone has a pincode on. How many of your friends actually have no password, no barriers whatsoever that protects the access to the content of their phone?
The moment I have your pin, I have access to everything. I can download anything and that’s it: I have now full control over your phone.
Now, let's say I don't have your pin, but still have physical access to your phone. What can I do to hack it? I can still find another way...
2) Accessing your phone for 5 min
5 min, that's all I need. Whether it's while you're having a shower, or working out at the gym.
Let's consider for whichever reason that I haven't been able to break your pin code. In that case, here's what I'll do: once I have your phone in my hand, I'll turn it off and turn it back on while downloading an app at the startup. This will give me a kind of developer mode where I have access to the phone as if it was a USB key. Once it's on, what I'm looking for is the decrypting key, which is protected by your pin. If your pin is 4-digits long, that basically means the decrypting key I want access to is protected by a 4-digit code. And this is very easily breakable. In fact it could be done in about 30secs!
Concretely speaking, what do I do? I plug the phone to my computer, I start it in DFU (Device Firmware Upgrade) mode, I charge an app inside, which gives me access to your phone’s memory just like if it was a USB. I now have your files, but they’re encrypted. They're encrypted with a key. A key protected by a 4-digit code.
From 0000 to 9999 : these are all the possible combinations, and for a computer this only takes a few seconds to break.
What I'll do here is break this pin by testing all the possible combinations with a brute-force app (easily available on the internet). Once I’ve found the correct combination, job done! I simply unlock the phone, and I can read your files. Which means I have access to all your passwords, email, WhatsApp, Facebook, etc.
It's a common technique used by hackers, as well as the police. In fact, some hackers steal phones in order to resell them by unlocking them. They gain physical access to it, plug it to their computer using an app to read it just like a USB mode, then unlock the phone to resell it.
Hence the importance for a solid pin code, as this is what encrypts your device. Instead of a 4-digit code, use a long passcode.
What can I install on your phone to keep control of it?
My goal here will be to download "spy" apps in order to keep control of your phone even after it's no longer in my hands and after you get it back. What types of apps?
There are illegal spy apps I can install: I can have an app pre-charged on a website, enter the website address, download the app directly and that’s it.
But I can also install spy apps that are actually legal! Take the example of mspy, an "Ultimate monitoring software for parental control". Installing this app enables me to snoop on your WhatsApp, Snapchat, Facebook, text messages, calls, location, etc. I can pretty much monitor and control anything I want. It's that easy!
I don't have to go through the App Store to download an app, which means I don't even need to know your Apple ID.
Another technique is adding a root certificate. A root certificate basically communicates to your phone that you are connected to a secure internet website. That's when that little padlock appears (you can probably see it at the top of your screen right now). Some authorities determine which secure connections are valid and which aren’t, which means that when the padlock appears, that secure connection has been validated by one certificate authority. They’re automatically pre-charged in your phone. However, I can add one myself on your phone: I just need your access code and then I can intercept all your secure communications and read everything you’re doing. (Yes, HTTPS and the little padlock appearing on your search box doesn't necessarily mean your connection is safe!).
Once I’ve installed a spy on your phone, it is very difficult for you to notice it: you either need to apply forensic techniques (techniques used by the police) to analyse what’s on your phone, or you need to intercept the connections of your phone. Either way, you need to be an expert to be able to do this.
That is why it is important to use preventive measures to avoid an attack.
What YOU can do to prevent your phone from being hacked...
Measures that you can take to avoid a local attack:
1) Use a longer passcode with an alphanumeric keyboard and biometric access instead of a 4-digit pin code or a pattern. Breaking a long alphanumerical passphrase by observing you typing it or even with a brute force app is extremely complicated. (To custom a longer numeric code or alphanumeric code, go to Settings – Touch ID & Passcode – Change Passcode). You can already considerably increase your protection by using a long passcode together with biometric access.
2) Enable the parental control access: Block your settings with the enablement of parental control which gives you another password. Indeed the parental control limits an attacker's access to some configurations as it means they have to enter a second password on top of the passcode. Even if they manage to unlock your phone, they won't be able to install something as they'll need to go to your settings to do that, and with the parental control it’ll ask them for another code which they don’t have. (Please note: the parental control is not enabled by default, you need to activate it. To do so, go to Settings and tap Screen Time. You can then enter a passcode and configure Content & Privacy Restrictions as you see fit).
Parental control access is an added layer of protection only useful in "live", that is whenever I have physical access to your phone in the moment, as it will prevent me from changing the settings. However it is not useful if I take your phone and plug it to my computer in USB mode (as mentioned above), as I’ll have access to the entire system in that case, which will allow me to do more things, including having access to the passwords.
Nonetheless, by using a long passcode and enabling parental control access, you are already being far more secure and protected.
3) Don't make it easy for anyone to touch your phone. You shouldn't easily give your phone to people. Your phone stores a lot of confidential information that you do not want to get out. That includes your passwords, email, bank account logins, social media access, etc. Treat it accordingly. Similarly, avoid leaving your phone in places where someone could easily get hold of it.
4) Not much else you can do. Except from not having a smartphone (which can be an option!)
The real challenge of a local attack, since it's "physical", is that the attacker needs to touch it. He must be capable to access the device physically, which isn’t always easy. However, technically speaking, it is easier than a remote attack.
If interested, this blogpost focuses on remote attacks: how your phone can get hacked from distance.
Sign up to get notified when we launch.