The Two Most Dangerous Phone Attacks And How To Prevent Them
In an RSA keynote address earlier this year, Cellebrite’s Senior Director of Digital Intelligence, Heather Mahalik, joined a SANS Institute panel that discussed “The Five Most Dangerous Phone Attacks.” Heather covered two of the five attack scenarios and their solutions.
The first attack discussed the potential for your device falling into the wrong hands and how the checkra1n exploit changed the game for iOS users, who may have always felt safe but now aren’t.
The second attack Heather covered focused on the risk of leveraging applications that simply rely on two-factor authentication (2FA) and not 2FA in addition to a password. Cases are popping up where a phone number is recycled allowing the new owner of your old number to access all of your old data by simply getting the 2FA token sent to the phone via SMS.
Here’s how Heather described the best ways to deal with these problems.
We are all addicted to our mobile devices. This is the fight I have in my house every day, even with my three-year-old. She wants to be on the iPad, she wants my iPhone, and she begs me to unlock it. My kids will even take my phone and make me look at it. It’s crazy but think about it. At work and at home we’re entering our financial information.
I just had to pay a remaining balance for a vacation this summer. How do you think I did it? On my phone. It is annoying to have to put down your phone and go to your computer. Everything we’re doing—taking pictures of our families and children, describing our vacations, and paying bills. It’s all there.
The question is: “What do you do that does not involve your phone?”
We exercise and take pictures of our experiences. People use phones on the go and to help navigate while driving. Our phones are our go-to devices, even when want to be entertained. You know this is true, but this addiction to mobile phones is what makes them (and us) so vulnerable to attack.
Think about this, if you could get into my phone you could probably access a lot more information than if you got into my Mac because I live on my mobile device. So, this leads me to the two attacks I’m going to address.
Two Dangerous Phone Attacks
- Your Phone Falls Into The Wrong Hands
This can happen so easily. It could be that you genuinely want to upgrade your phone and so you turn it over to your network service provider. Then, someone else gets your refurbished phone. But what if it hasn’t been properly reset?
Now, think about the workplace. What happens if you have an administrator who does not properly sterilize a designated work phone after you turn it in and gives it to someone else. What can a new owner get from it?
At this point, I want to challenge you. If I pulled a fire alarm right now and you had to make a choice between whether to leave your wallet on your chair or your phone, which one would you leave behind? I can guarantee you; I would leave my entire backpack before I would leave my phone.
Because of its importance in your life your phone is your greatest point of vulnerability, yet people often don’t consider the risks of losing their phone. How sure are you that no one is going to get into your device? It’s difficult even for me, and I’ve been dealing with mobile phone security for 11 years. I’d be terrified if someone’s said let’s try right now and see if we can gain access to your phone.
Now, why should you be concerned?
Have you heard of checkm8 and checkra1n? The is the golden age for attackers on iPhones and iPads. Most people who have Mac devices assume they are really, really safe. Not true!
There is a checkm8 exploit that is in the chip of the device. What this means is that it cannot be patched. The jailbreak for that exploit is called “checkra1n.” Checkra1n is free and available to anyone. So, all you need is a Mac OS or Linux, and you can jailbreak the device. This is why it’s really, really bad if your iPhone falls into the wrong hands.
Now, this is a level of access that we haven’t seen in a decade. This excited me because as a digital forensic expert I thought I could get everything I wanted off of iPhones. At the same time, it is terrifying because what if you lose your own device?
- Two-Factor Authentication Does Not Protect You If It’s Simply Just A Code
If a bad actor has your device and knows your phone number, all they need is to receive a simple text that empowers them to become you. This happened in a case I worked on two months ago and then again just three days ago. I have seen this often.
Let’s say you have moved from the West Coast to the East Coast. You recycle your phone number. And let’s say your employer requires you to have a number in your new office’s area code.
So, you get a new device. Well, maybe then Verizon recycles your old phone number and gives it to someone else. The problem for you is, the moment they download WhatsApp, they can log in with their phone number, which is your old phone number.
Guess what that means? They get the security code and with it they get all of your messages as it loads completely on their phone. It’s terrifying. Maybe the person is not a phone attacker and they’re not trying to do it maliciously. But what if they are? Now do you understand why you must be very, very careful with this?
To avoid phone attacks, do not use an application for anything you care about, especially banking! That’s what we are seeing if you also don’t need a password. So, you want a password and two-factor authentication to make sure you’re protected. If it’s just one or the other, it’s not a great scenario.
How to Avoid Attacks
So, what should you do?
First, realize that your mobile device is literally as important as your wallet. It is essentially another extension of your body. Your phone contains everything someone needs to know about you. Do not assume that your data is not important enough. I used to always joke saying, “I’m so boring no one wants my information.” Really? What about all your financial information that’s there?
Second, and this is critical, always lock your phone!
If you do not lock your phone, it should be taken away from you. You are so vulnerable. Please lock your devices and keep remote access enabled.
Remember that fire drill I mentioned earlier. If you chose to leave your phone and I got ahold of it and then dumped your device and performed exploits on it, at least you could ping it and see where it was. Maybe you could relock it and try to stop further attacks from happening. So, make sure you can do that.
If you are going to change jobs and need to turn in your device, wipe it first. But before you wipe it, make sure it’s encrypted because then at least all the data that’s wiped will be in an encrypted state.
Never ever, ever dispose of a device that has not been wiped. It blows my mind that people do this.
As far as your apps go (and I know that two-factor authentication makes people nervous), if you are going to get a new phone number, here’s what I recommend you do:
- Log into every single application that uses two-factor authentication and change it to your new phone number.
- Make sure you use apps with a passcode.
- Be careful about what you were sharing.
We’re all putting way too much valuable information out there, so don’t make yourself a target for attackers.
Q&A With Heather
Here are some of the questions Heather answered at the RSA event:
Q: Regarding exploits, can any of them be used by the digital forensics investigator to make their jobs easier?
A: Yes, but this is hard for a lot of people to understand; what can be used for evil can also be used for good. So, you must consider things like this. A jailbreak can get you full-file-system access to the iPhone, which would then let you access application usage logs, different system logs, and things that we wouldn’t see otherwise. So, absolutely, it can be used, and it is being used that way by the DFIR community.
Q: Is my device at risk if it’s up to date with the latest hardware and firmware?
A: You are at risk. Actually, if you have an Android that is fully patched and fully up to date, you are safer than if you have an iPhone 10 running the latest iOS version.
Q: You said two-factor authentication works well until it’s time to get a new device. Any tips for making it easier to move two-factor authentication tokens to a new device, especially between Android and iOS?
A: Yes. If you’re getting a new phone number, you really need to consider the two-factor authentication you’re using and literally log out of those and make sure you associate them with your new phone number. Then you should be safe. Also, make sure you have a password backing up or in the foreground of the two-factor authentication.
Q: Is manufacturer-supplied, built-in, mobile-device encryption enough to protect against everyday attackers?
A: It really depends. When it comes to encryption, if you’re going with file-based encryption that comes with your Android and full-disk encryption or file-based encryption on iOS, you’re probably OK if you have the following:
- You have a password.
- Keep that device in your control.
- Make sure you have remote access to it.
Together these should be good enough unless you lose your phone. That is when you really are at risk.
Q: My employer has a “bring-your-own-device” program. How much access are they legally able to demand of my personal phone?
A: That’s a tricky one. Have you signed an agreement? I have worked places where people have paid for my phone every month, but I signed nothing that said I have any rights to my phone information. I could guarantee you, if they wanted the device, I would wipe it and then say, “Here you go.” But if you sign something that says your employer has rights to your personal device, I would keep business and personal completely separate and assume that they can see everything.
Q: Will mobile, anti-malware protect against malware issues?
A: What I recommend is that you have mobile-device management that will detect a jailbreak if someone is attempting to root your device or get root-level access. So, if you did have mobile device management on your iPhone and someone tried to checkra1n it, you would be alerted and protected if it was set to stop it. I would recommend mobile-device management.
Q: Can jailbreaks be exploited automatically, meaning if a user accesses a website with their fully updated mobile device, can that website take over the device?
A: No. Because one would have to install the jailbreak onto the iPhone, which is a full procedure to accomplish. DFU mode would need to be activated, which would not be able to be initiated by the website.
Q: Most mobile devices connect to cloud accounts. Is that a bigger risk as the content in the Cloud is not usually encrypted?
A: Not necessarily because you should have password and two-factor authentication protecting it. And it is usually dual, so you should be safe.
Share, Share, Share
Here’s one last thought. Everyone obviously has a voice. If you see something that piques your interest, don’t just hide in your shell. Be aggressive and research it. Put the word out there and share because you are your own advocate and, honestly, we need younger people in cyber-security. We need people that want to chase things, switch fields, find something that impacts the world, and switch to forensics. Do whatever matters to you but share it. Share back.