How smartphone users can keep one step ahead of the hackers
The discovery of new weaknesses in Android devices was announced at a recent hackers’ convention, and although these were addressed quickly, the problem is only going to get bigger. Apple users had a shock this week too
At this month’s DEF CON 24 annual hacker convention in Las Vegas, security vendor Check Point – whose job is not only to fix vulnerabilities, but discover them before criminals do – revealed details of what it called QuadRooter, a set of four vulnerabilities, affecting no fewer than 900 million Android smartphones.
Check Point found that by using a malicious app hackers could potentially gain access to the Qualcomm chipsets inside best-selling Android phones including the BlackBerry Priv, Samsung S7 and Sony Xperia Z Ultra, among many others. Three of the vulnerabilities were fixed by a recent Android update, and security patches for the fourth are gradually being rolled out.
As one of the most targeted cities in the world for cyberattacks, it’s understandable that Hong Kong is particularly concerned about malware – malicious software actively designed by hackers to cause harm or manipulate users of the mobile devices it infects.
With smartphones, it is not easy for users to immediately detect a hijack. “It’s actually a lot harder than you might think,” says Bryce Boland, chief technology officer for Asia Pacific at Singapore-based FireEye , which provides real-time threat protection to governments and businesses – including high-profile organisations in Hong Kong – against the next generation of cyberattacks. (The company is hosting a security summit in Hong Kong on September 1, on ransomware and mobile threat prevention.)
“Depending on the sophistication of the attackers and their work, it could be nearly impossible to determine if a device has been compromised.”
Encrypted messaging doesn’t help much either. Although the likes of BlackBerry Messenger, WhatsApp and Apple iMessages are all encrypted and theoretically keep messages private and safe from hackers, that promise only goes so far.
“The vulnerability might provide the attacker with access to the unencrypted messages,” explains Boland. “Often times encryption is circumvented by compromising the security of devices, instead of through decryption.”
If you own an Apple iPhone, you’re probably feeling smug about QuadRooter, a purely Android phenomenon. Don’t.
The California-based company had to issue a security update on Thursday after researchers discovered spyware that could allow hackers to intercept all voice and data communications and access every photograph and video. The discovery has put a dent in the reputation of Apple products as largely hack-proof.
FireEye last year also published research into so-called “masque attacks” against iOS devices. Its findings uncovered evidence that Hacking Team – a Milan-based organisation that develops “offensive technology” for the law enforcement and intelligence communities – were selling targeted iOS malware masquerading, and directly replacing, everyday apps like WeChat, WhatsApp, Twitter, Facebook, Google Chrome, Blackberry Messenger and Skype.
Otherwise identical to the genuine apps, these reverse-engineered and weaponised versions have a layer of code that extracts sensitive data and contacts a remote server.
Besides, all phones have the same fundamental weakness. “Both iPhones and Android phones contain a baseband processor, which can in theory be used to bypass all encryption and directly monitor all communications on the device,” says Douglas Crawford at bestvpn.com, a comparison site for Virtual Private Networking (VPN) technologies.
That should be a wake-up call for Apple users, who for a long time presumed hackers only go after the biggest platforms and handsets: Windows PCs and Android phones.
Tech research company Gartner reports that in the second quarter of 2016 Android held 86.2 per cent of the global smartphone market to Apple’s 12.9 per cent. There is, however, a crumb of comfort for iPhone owners.
“The difference between iOS and Android is how their manufacturers can respond,” says Boland, adding that because Apple controls the software and the hardware, it can push out security updates quickly.
“Most Android users are beholden to their phone’s manufacturer for security updates, and that’s a bad position to be in … many Android users are running old software with numerous publicly known vulnerabilities.”
More of an issue than what phone you have is where you live.
“Hong Kong is one of the most targeted regions of the world for advanced cyberattacks,” says Boland. “In the second half of last year, 43 per cent of the organisations we observed there were exposed to advanced cyberattacks – the global average was 15 per cent.” Only Taiwan was found to be worse, with 60 per cent of organisations exposed.
“We’ve observed attacks on journalists and activists in Hong Kong,” says Boland, while Crawford says that during the Occupy Central protests it’s very likely that protesters’ phones were deliberately infected by sophisticated malware called Xsser mRAT, spread via WhatsApp. “It was downloaded by many because it appeared to be written by activist developer group Code4HK in support of the protests,” says Crawford. “Infected phones allowed the attacker access to just about all data stored on the phone, including emails, messages, address book, GSM location data, and photos.” The Android version even allowed the attackers to make phone calls, record a phone’s surroundings, and download files.
So what cab we do to protect ourselves from malware? “When you buy your next smartphone, consider the security credentials of the manufacturer and its commitment to security updates,” says Boland. Many are slow to act. “If more people value security, the market will respond and the ecosystem will improve.”
It’s also about identifying who or what you want to protect against. “Using an encrypted messaging app will protect you from criminal hackers, prevent your internet service provider from listening in your conversations, and evade blanket government surveillance,” says Crawford. “But against a determined state-level actor targeting your communications, all bets are off.”
Anything with a chipset in it is at risk. In a future of smart cities and driverless cars, that’s going to mean a lot more than phones. “Any connected system will face similar issues, and connected cars are no exceptions,” says Boland. “Attackers could use your car to spy on you, inflict harm, create disruption, or they could hold it for ransom.”
However, fostering a community that attempts to spot security flaws and sabotage would give security a boost. “The best thing the tech world can do is to open-source their code so that others can help find security flaws and ensure that products have not been deliberately tampered with,” says Crawford. If everyone’s looking, goes the theory, nobody can hide.