From Ashley Madison to Snapchat, security leaks are constantly publicised in the media. It is becoming an increasing headache for enterprises as the amount of information available online is growing exponentially every year, and so the rewards for hackers are increasing with it. But how easy is it for someone to hack into a mobile phone?
In January this year there was a widely-publicised case where the FBI were offering a one-time fee to hackers who could help them break into an iOS device.
Security is a multi-million dollar business with vendors continually innovating and creating new software to protect their customers. It might be tempting to assume, therefore, that mobile devices are quite secure and that hacking poses a marginal threat.
The problem with this is that the biggest glitch in the system is, well, us.
Instead of attempting to go around the software, hackers are often going around us instead. Research by Allan Paller at the SANS Institute has found that 95% of all attacks on enterprise networks are the result of successful spear phishing, effectively meaning that user behavior is responsible for most of the damage caused, rather than tech vulnerabilities.
The techniques that hackers use are not dissimilar to the phishing techniques used in the early 2000s. In fact, these methods are easier on mobiles than they were on desktop. With desktops the hacker has to take into account the target’s screen resolution, how they’ve configured their desktop and which operating system they are using.
With mobile however, there are only two (or arguably three) main operating systems, making it much easier for hackers to customize the look and feel of them. A generational divide also comes into play here. While the older generation are still wary about putting their credit card details into any website, younger generation that grew up with ubiquitious technologies are far more trusting.
The Hacker’s Toolkit
The toolkit for a hacker is easily purchased and modified. Items such as the Pineapple access point (AP), which are marketed for ‘reconnaissance’, can be bought for under $100. Worrying, they can easily be used to carry out phishing attacks.
As almost every cell phone on the market comes equipped with a Wi-Fi antenna, part of their functionality includes software that is constantly on the lookout for Wi-Fi networks it can connect to.
As a consumer, connecting to open or known Wi-Fi hotspots can boost internet speeds and of course save on data costs. Hackers prey on this, and using spoof connections the hacker can access every single bit of data that’s being shared through this network – from passwords and locations to private messages and bank details.
How to phish on an Apple device
Everyone’s familiar with old school phishing emails. Those one that claimed you had won a competition or inherited a fortune. Well, just like those emails, the aim of phone phishing is to get the user to click and download a profile onto their device.
There are certain technologies (eg. Twilio) that can detect which carrier is being used. From here, the hacker is able to send a text to the mobile, designed to look like it comes from a legitimate source, such as ‘find my phone’ or something official from Apple itself.
The message will often contain a sense of urgency, encouraging users to act on the spot. Once the person has followed the link, they will be taken to a spoof profile.
Apple currently do not verify people creating profiles, meaning new submissions are automatically approved. Hackers can use this to make a profile look authentic and instantly approved by Apple.
Once downloaded,the hacker has full access to the data on the device. What’s more is that it’s not just read-only – some malware is able to change information such as phone numbers and even stock prices, or install an app which is almost impossible to remove.
The key is prevention
Once hacked, there is no way to know your information is being re-routed. Most experts agree that the best form of protection is prevention.
Users should be exercising caution when downloading large numbers of apps, in particular if they are not from an official app store. They should also pay attention to the Wi-Fi networks their phone is accessing.
For enterprises seeking to limit the risks to corporate devices, there are two main options. Firstly, education and internal training programs can give employees the knowledge that will reduce the likelihood of risky behavior.
As any IT or mobility administrator will tell you, however, employees can often be stubborn or otherwise unresponsive to even the best training programs.
The most secure option is to invest in technologies that will give admins insight into behavior. EMM solutions will safeguard the apps that can and can’t be downloaded to end-user devices and MTD vendors can offer visibility and protection from this type of attack.
To see how Wandera can help keep your organization secure, please request a demo.