The bad news – all it takes is a bit of time and diligence for anyone, even a person without technological expertise, to hack into another person’s mobile phone – just as some staffers of the News of the World did to access the voicemail of the 2005 London bombing victims.
For a business that falls prey to such a hack the consequences could be costly: stolen passwords that could unlock other devices connected to the company network; company data-theft; leakage of privileged information about the business; and fraud that could cost the business tens of thousands of dollars.
The good news – a bit of time and diligence on the mobile device user’s part could help prevent such a hack.
The hacking scandal which saw the eventual closure of the London-based tabloid also shone a spotlight on the potential of the same techniques being used on the growing number of mobile devices now being used to connect to workplace networks.
Mobile security isn’t going to just happen
Hacking champion says Pwn2Own encourages exploit ‘weaponization’
Top 10 hacking tricks
“We now have a wide variety of devices that connect to the Internet and company networks. This incident highlights the need to be more conscious of mobile security,” says John Weigelt, national technology officer for Microsoft Canada.
For a growing number of mobile phone users, Weigelt said, there is now much more to lose than just digital phones and contact lists. “We now have corporate email on our phones. We may have personal banking information store in our devices from mobile transactions,” he said.
In fact, according to a Toronto-based security expert voice mail hacks similar to those carried out by people connected to the New of the World have been going on for years in Canada.
“This is a relatively simple procedure. The cases I am aware of here however were carried out for fraud and profit,” said Claudiu Popa, an independent security and privacy expert based in Toronto and principal of Informatica Corp a company that provides risk assessment, security management, compliance and corporate education programs.
How mobile phones are hacked
Traditionally, landlines were hacked into by physically connecting through terminal boxes. Another technique is to gain entry access data through a user’s mobile phone service provider. This may be harder but not impossible. Staff at the New of the World hacked into mobile phones by possibly using these two techniques:
- By guessing the passwords of the cell phone to gain access to the device. In many cases users never change the default codes on their phones.
- Gaining access to the phone through voice mail. A reporter would call the victim’s number and engage the phone while another reporter would call the same number and get directed to voice mail. The second reporter would then use previously obtained default codes to access the victim’s messages
Popa said one of the most common and easiest ways to hack into a phone is to through spyware. He said there are numerous software products that enable cyber criminals to listen in on conversation, read emails or take full control of the device without the user’s knowledge.
Back in 2009, he said he had a client whose company phone system was compromised this way. “The system they were using was still on default settings. The passwords were not changed so the hackers gained access to the voice mail,” said Popa.
Once inside, the hackers dropped a trojan that ordered the phones to make automatic, unauthorized long distance calls which earned the hackers more than $10,000 before the scheme was discovered.
Another technique, he said, involves gaining temporary physical access to the mobile phone to install key loggers or other malware that can either intercept calls or send out passwords, text messages and emails from the target phone to another device.
How to prevent a mobile phone hack
There’s always a way to get to a mobile user’s data, says Weigelt of Microsoft Canada. But simple measures such as taking the time to construct more complex passwords could lessen that chances of a breach.
“Make sure you change your default passwords and change your passwords often,” Weigelt said.
Related story: Consumer-focused trade-offs compromise Apple iOS, Android security: Symantec
Popa agrees. “Cell phones and smartphones are convenience devices. Their features such as email are often set for easy access so security is adjusted to the minimum setting.”
He also said there are some handsets and mobile applications that alert users at pre-determined intervals when passwords need to be changed.
There are also products that automatically “wipe” a phone’s memory clean should it detect multiple failed attempts at the password.
The security expert also said he sees no reason why users should keep their phone emails, voicemails and text messages stored for a long time on their mobile devices. “It’s best to keep your mail empty so that hackers won’t find anything to steal.”
Cleaning your phone
Old cell phone data can reemerge from the past to haunt you. Whether it’s because sellers are lazy or naive, cast-off phones still contain troves of information about their former users. And as phones get smarter, they’re ever more likely to hold bank account passwords, personal email, or private photographs that anyone with the right kind of motivation could exploit.
Smartphones usually have at least two stores of memory: a SIM card, and the phone’s internal memory. Many phones also have additional data stored on removable SD Card media. The SIM and SD cards had been removed from all the phones we purchased. But people seem to forget (or not know) about wiping the phone’s internal memory.
Related story: Staples should pay customers to wipe data
Even if you do everything right, and you wipe the phone exactly according to the directions, you might want to reconsider passing the handset along. “A phone is a lot like your PC: When you delete something, it’s not actually gone. A skilled investigator can carve out specific items that he or she is looking for,” says Christopher Shin, vice president of engineering for Cellebrite, a mobile forensics company.
If you’re really worried about unauthorized recovery of your data, BlackBerrys are a good choice: If you do a factory reset on the phone and don’t touch it for 30 days, the memory will automatically reorganize, making it harder for hackers to carve out pieces of your data in a forensic analysis. iPhone apps such as iErase and Android apps like ShreDroid will write over deleted data on your handset with random 1s and 0s after you’ve conducted a factory reset.
(With files from Megan Geuss)
Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, connect with him on LinkedIn, read his blogs on ITBusiness.ca Blogs, email nestor at [email protected] and join the ITBusiness.ca Facebook Page.