Hacking NFC phones, sneaking malware into Google Play and more: This is the beginning

Mike Dano

Mobile security firms have long warned of the threat of cell phone hacking. For example, in 2004 anti-virus company F-Secure Corp. said it discovered a Trojan computer virus for mobile phones running the Series 60 version of the Symbian operating system. The company said the bug replaced menu icons on the phone with a skull-and-crossbones symbol.

More recently, there have been a handful of well-documented cases of troublesome smartphone code, including malicious apps dropping on Android and established app makers surreptitiously storing users' personal information.

And it seems things are just getting started.

The recent hacker convention in Las Vegas, hosted by Black Hat and Defcon, offered a clear insight into the shady and nefarious realm of cell phone hacking. And the fact that smartphones are now practically ubiquitous among Americans appears to have motivated these hackers to find and exploit every nook and cranny in iOS, Android and Windows Phone.

"When I'm sleeping [my mobile phone] is on my nightstand; when I am traveling around it's in my pocket," Nicholas Percoco, an ethical hacker and security researcher, told NPR. "So the ability to do things to a mobile phone becomes even more enticing to a criminal."

So how exactly are hackers breaking into phones? According to the lengthy list of hacks presented at the Black Hat and Defcon convention, there appear to be security holes everywhere. In fact, the list of successful hacks presented at just this one event is enough to make even the most jaded wireless industry journalist take pause. For example:

  • Two researchers from the SpiderLab hacking division in data security company Trustwave detailed how they were able to bypass Google's automated Android malware detection service, dubbed Bouncer. The researchers, Nicholas Percoco and Sean Schulte, submitted an innocuous SMS blocking application (priced at $49 in order to prevent real people from using it) called SMS Bloxor to the Google's (NASDAQ:GOOG) Play storefront, and managed to get it published. Then, in subsequent updates to the app, the researchers added malicious code that was designed to steal users' contacts, SMS messages and photos, and use the phone to conduct DDoS attacks. The researchers were able to sneak the mischievous code past Google's Bouncer program by using the same app technology that Facebook uses for its Android app: the app sat inside a "native wrapper" but used a "JavaScript bridge" to access additional code without requiring an update to the app itself. The researchers were successful in obtaining almost all the information they were trying to get, and only got caught by Google's Bouncer when they intentionally attempted to probe the limits of Bouncer's scanning abilities. Google declined to discuss the matter.
  • Charlie Miller, managing principal of security company Accuvant Labs, discussed how he was able to "fuzz" NFC technology in order to hack into two devices, a Nokia (NYSE:NOK) N9 and a Samsung Galaxy Nexus. "It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can force some phones to parse images, videos, contacts, office documents, and even open up web pages in the browser, all without user interaction," he wrote. "In some cases, it is even possible to completely take control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls. The next time you present your phone to pay for your cab, be aware you might have just gotten owned."
  • Finally, Peter Hannay with Edith Cowan University showed how Microsoft's (NASDAQ:MSFT) Exchange ActiveSync technology--used by most smartphones to connect to an Exchange email server--can be used in some cases to remotely wipe users' smartphones. Hannay explained that he and his team set up a dummy Wi-Fi network that was able to connect to a number of smartphones, including those running Android version 4, iOS 5 and Windows Phone 7.5. In the case of Exchange setups that use "self-signed certificates," which Hannay said is the most common deployment style for small to medium businesses, he was able to completely wipe the Android test devices and the iOS test devices. Windows Phone 7.5, however, "provided no mechanism to easily accept a self-signed certificate (it had to be installed manually), when the certificate changed there was no easy mechanism to accept the new certificate." As for those Exchange setups using a "trusted certificate," Hannay was not able to wipe the Android or Windows Phone devices but he was able to wipe the iOS device. "The iOS devices tested provided a prompt to accept the new certificate, again with no advice and an easily available continue button."

Though there are plenty of caveats to each of the above examples, but it's clear that cell phone hacking is a real and growing trend.

What's most disturbing though is that the dozen or so cell phone hacks presented at this event are presumably only a drop in the bucket. The hackers who attend Black Hat and Defcon do so to shine a light on possible security vulnerabilities so that they can be patched (some of these hackers are also paid for their work). It's safe to assume that other people are working on similar hacks, but they are not presenting them at hacking conventions.

Of course, there are a number of entities working against such hacks. Indeed, Dallas De Atley, manager of the Platform Security team at Apple (NASDAQ:AAPL), attended the hacking event to "discuss key security technologies in iOS," according to the event's website.

Nonetheless, it appears that cell phone hacking is a real, growing and potentially explosive area were developers could make plenty of money--either by legal mechanisms or otherwise. +Mike Dano