How I’d Hack Your Weak Cell Phone John P. September 24, 2012 News 12 Comments 406 Shares Google+ 201 Twitter 75 Facebook 111 LinkedIn 16 Reddit 0 Pin It Share 0 Buffer 3 406 Shares × Literally a billion people are walking around the planet with cell phones, a large percentage of them smart phones, and do you know how many of them are secure? Virtually ZERO! And while you may think cell phones don’t need anti-virus, anti-malware and other security precautions – you couldn’t be more wrong. And that’s why I could easily ruin your life, using nothing more than your cell phone. UPDATE: Here’s a segment from ABC World News where John P. explains the importance of strong passwords: Unfortunately your browser does not support IFrames. The Root of the Cell Phone Hacking Problem The most important thing when it comes to taking over your world is knowing your passwords. So the majority of hacks are aimed at this one goal. Control the passwords, and you literally control the digital life. Married to the password issue is gaining access to an email account. Primarily because if you control the email account, you can issue password resets on just about anything else. But not EVERYTHING else. Some service providers, like Banks, require customers to verify certain changes through, yep… you guessed it, a text message sent to your cell phone! So if you think it sounds bad for a criminal to hack your passwords, just imagine what happens when they have your password and control your cell phone. It’s a recipe for absolute disaster. Cell Phones Are A Security Nightmare We all know what kinds of problems people have with computers at home and work. A virus can destroy everything, and malware can take you to the cleaners. And desktop machines and laptops have anti-virus, anti-malware, firewalls, and other security tools on them all the time. But smartphones have NONE of that security! What’s worse: All of your apps are logged in all the time, for convenience. Your email is wide open. You know, so you can read it all day. Your contacts are in plain sight so you can use them with your phone. And of course, email is the gateway to everything else… Why I’d Hack a Cell Phone Hopefully by now, you’re seeing where we’re going with all of this. But let me spell it out for you very clearly. If I hack your cell phone: I’ve got immediate access to your email account. I can log in to all of your personal sites and request password resets, which will come to your email. I then click on those links and reset every password you have, so YOU no longer have access to your accounts. EVERYTHING! Facebook, Twitter, Gmail, MSN, Foursquare. In under 15 minutes I can own your profile on all of the top 20 services on the Internet. This renders you powerless, because you can’t control anything to prove you are who you are. Best of all, with certain methods I can even respond to SMS (or Phone calls) for secondary verification! Because I’d own your phone. Oh, never mind, that’s not the best part. I can find that text file where you keep your Social Security number, Drivers License number, addresses, Passwords, and answers to security questions! Because I know you’ve got that on your phone… it replaced the piece of paper you used to keep in your wallet. In essence, your phone is my ticket to impersonating you. HOW I’d Hack a Cell Phone Steal / Find your phone. People walk away and leave them on a table in a restaurant, or at work. No one will even notice if I just pick one up and keep going. Install a “great” app, with a trojan backdoor that captures everything you type and sends it to me silently in the background. Email or text you a malicious link that takes you to a phishing site where I con you into giving me information. Let you connect to my “free” unsecure hotspot, then intercept all of your traffic and read everything you send across the line. Oh, you know how phones nowadays can supposedly tell you where they’ve gone and be remotely wiped clean? That doesn’t always work, and people like me know exactly how to prevent that. Plus, by the time you’ve discovered your phone is missing, I already did all that stuff I just mentioned, and then threw it away before you ever even thought about remotely locating and clearing it. So, that didn’t really help did it… How to Prevent All of This Use tough passwords!!! And use a Password manager like 1Password to safeguard your secrets. Use different passwords for different services – in case one is compromised, they don’t have them all. Put a digital LOCK on your phone. Android and Apple devices have one built right in. By the way, 15% of iPhone users use one of these: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998. So use something random and hard! Don’t install untrusted apps. They could contain backdoors to your phone. Security companies like (Norton for Android), (AVG for Android) and Avast (on Android) are beginning to produce anti-malware apps for smartphones, so install one to stay ahead of the curve. Oh yeah, and be paranoid. Be VERY paranoid. 12 Responses Jinnifer Morris September 27, 2012 Im curious, you mentioned Norton, AVG, and Avast. How does the Kaspersky app (for Android) compare? weirdo September 24, 2012 Isn’t it better to not use a PIN number and just go with a difficult password? Anyways, if you get conned by a phishing site, you really need better security on your computer. As in GET AN ANTI-VIRUS PROGRAM RIGHT NOW. john wilkinson September 24, 2012 How would you get around the pattern lock on Android or the pin lock on iOS if it wasn’t one of the ones you listed or was set to wipe the device after 3 failed attempts? John P. September 24, 2012 There really isn’t a way around that, which is good. The goal here is to make your phone such a hard target that they move on to something easier. Having said that, I could disassemble the phone and get to any unencrypted data that happens to be stored on the device itself. Which is why it’s so important to use 1Password or some other encrypted form of note storage. john wilkinson September 24, 2012 Would the encrypt device option in Android be of use in that scenario? John P. September 24, 2012 Possibly, but I haven’t actually tried it and torn a phone apart yet. Chris Hubbell September 24, 2012 I think you’re just scaring people to buy cell phone antivirus. The incidents of cell phone malware are still ridiculously low . As long as you’re not rooting your phone or installing 3rd party apps, you have very little to fear (other than losing it). There are no real viruses for Android, or iPhone, both have markets that will allow google and apple to remove malware. Remember AV software developers want to sell av software, and AV software will slow down your phone and annoy you. I also recommend using android pattern security. Even the US government is having trouble with that one. Maarten van der Blij September 24, 2012 Here is where you’re very wrong. When you install an app you give pretty much access to all your information on your phone. Ever used whatsapp? They used to upload your whole contacts list to their servers. Not sure if they still do this. If you install a shady app, you may have giving access to most of the personal data. Also, when the app is on your phone and it runs in the background, it can pretty much sent everything to their server. Most of the time these apps get removed, but when you installed it, it’s already to late for you.. John P. September 24, 2012 All of the apps I recommended have free variants. And even if they didn’t, $10 (or whatever) is nothing compared to the pain I’ve witnessed some people going through. Cell phone crime isn’t yet competing with the desktop, but its a matter of “when” not “if”. texsippian September 24, 2012 I’m so grateful you posted this, although I got a chill when I read it. Which leads me to my question: what can you do if you have reason to suspect you’ve been hacked? How do I confirm a breach and fix it? Thank you so much for any resources or advice you can provide. John P. September 24, 2012 The best thing you can do if you suspect your phone has been compromised is to do a complete reinstall. Most phones have an option to “Factory Reset”, and you can do that. Otherwise, take your phone to the carriers retail store and ask them to reset it for you. Just make sure and get your photos and things off before you do! And sync your contacts somewhere. Because the reset will erase everything! John P. texsippian September 25, 2012 Thanks, John. The temptation is strong to use this as justification to spring for the iPhone 5, but I’ll try the factory reset on my 4S first.