23 June 2016

Here's How Your Smartphone Can Be Hacked Without You Knowing


by JENNIFER SCHLESINGER, CNBC and ANDREA DAY, CNBC
JUN 18 2016

Not only can your smartphone be hacked, it can be done very easily without your knowledge.
"At the end of the day, everything is hackable. What I am surprised about is that people sometimes forget that it's so easy to hack into these devices," said Adi Sharabani, the co-founder of mobile security company Skycure, who used to work for Israeli Intelligence.

Even if a malicious attacker cannot get into your phone, they can try to get the sensitive data stored inside, including contacts, places visited and e-mails.

"It's important to realize that the services your smartphone relies on are much more attractive target to attackers. So for example, the photo leak that happened from iCloud where a bunch of celebrities had their photos posted all over the Internet is the perfect example," said Alex McGeorge, the head of threat intelligence at cybersecurity company Immunity, Inc.

Often, the hack or data breach occurs without the consumer's knowledge, according to Sharabani.


Facebook's Mark Zuckerberg hacked on Twitter, Pinterest, LinkedIn 0:55

And it's not just consumers that criminals target. With the rise of smartphones and tablets in the workplace, hackers attempt to attack enterprises through vulnerabilities in mobile devices.

Both Sharabani and McGeorge perform attack simulations for clients and find that these hacking demonstrations usually go undetected.

"It's usually very rare that a breach that originated through a mobile device or is just contained to a mobile device is likely to be detected by a corporation's incident response team," McGeorge said.

And Sharibani agrees. He says he's still waiting for someone to call him and say that their IT department identified the attack demonstration.

"No one knows," he said. "And the fact that organizations do not know how many of their mobile devices encountered an attack in the last month is a problem."

But there is a silver lining, according to the wireless industry.

"The U.S. has one of the lowest malware infection rate in the world thanks to the entire wireless ecosystem working together and individually to vigilantly protect consumers," said John Marinho, vice president of technology and cybersecurity at CTIA, the wireless association. CTIA is an industry group that represents both phone carriers and manufacturers.

Here are the three ways a smartphone is most likely to be breached.
Unsecure Wi-Fi

Wi-Fi in public places, such as cafes and airports, could be unsecure, letting malicious actors view everything you do while connected.

"Someone is trying to gain access to your email, to your password. They are trying to gain access to all of your contacts, who you meet with, where and when. Do you approve? So me, as a security expert, I always click cancel," Sharabani said.

To know if you're on an unsecure connection, pay attention to warning message your device is giving you. On iPhones, a warning will come up saying that the server identity cannot be verified and asking if you still want to connect. You will be prompted to click "continue" before you can join the Wi-Fi.

Despite the warning, "92 percent of people click continue on this screen," according to Sharabani.

"Your phone actually has a lot of really good built-in technology to warn you when you are going to make a poor security decision. And what we found through our general penetration testing practice and talking to some of our customers is people are very conditioned to just click through whatever warnings it is because they want the content," said McGeorge.

To protect yourself, be careful when connecting to free Wi-Fi and avoid sharing sensitive information.
Operating system flaws

Despite the best intentions of smartphone manufacturers, vulnerabilities are found that could let attackers in.

"We see that the average ratio is that more than one vulnerability being publicly disclosed every day, and 10 percent of those are critical vulnerabilities, vulnerabilities that allow someone remotely to gain access to your device and control it," Sharabani said.

Russian Hackers Breach DNC, Gain Access to Trump Opposition Research 1:52

Device manufacturers release operating system updates frequently to protect users.

"All of those updates have really important security fixes in them and people are worried well maybe this is going to impact how I use my phone or maybe my phone isn't compatible. They need to apply those updates as soon as they come out," said McGeorge.

Experts advise you install operating system updates as soon as they are available. Once updates are released, hackers know about vulnerabilities and attempt to breach out-of-dates devices.

Applications add functionality to smartphones, but also increase the risk of a data breach, especially if they are downloaded from websites or messages, instead of an app store. Hidden inside applications, even ones that work, could be malicious code that lets hackers steal data.

"The app ecosystem of mobile phones is enormous. Neither Apple nor Google can possibly look through every single app on their store and determine if it's malicious or not," said McGeorge.

To protect yourself, McGeorge advises you limit the number of apps you install.

"The more apps you have increases what we call the attack surface on your phone. What that means is there is more lines of code and therefore there is higher incidence there is going to be a security critical bug in that amount of code," he said.

McGeorge also suggests you think about who the app developer is and if you really need the app.

Report: FBI hired hackers to crack iPhone of San Bernardino shooter 1:49

Skycure's Sharabani suggests you look at the warning messages when installing applications.

"Read those messages that are being prompted to us that sometimes say, 'This app will have access to your email. Would you agree?'" He said.

Bottom line, according to Sharibani, is that there is no such thing as being 100 percent secure. But there are many ways to reduce the risk and make it harder for hackers to invade your smartphone.

In a statement sent by e-mail, an Apple spokesman said, "We've built safeguards into iOS to help warn users of potentially harmful content … We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we've put in place before they choose to download and install untrusted content."

And Google, which oversees Android said it also has added additional privacy and security controls.

"Last year, we launched a privacy / security controls 'hub' called My Account. Since then, 1 billion people have used this and just last week we added a new feature called Find your phone. It's a series of controls that enable you to secure your phone (Android or iPhone) and your Google account if your device is misplaced, lost, stolen, etc," a spokesman said in an e-mail. 

No comments: