With the advancement of technology and information system, hackers are now able to hack even some sophisticated devices. Most often we hear about web hack cases. However, it’s very rarely heard mobile phones being hacked or hijacked.
So, does this mean our phone is not hackable? When we think about it for a while, it’s not surprising to think that, “Maybe it is not hackable as phones are private devices that only remain with us and hackers need to access our phone physically in order to hack it. And, even if they get our phone, it is secured with some sort of PIN so maybe I am safe.”
This is where we go wrong! Hackers can still hack your phone even without gaining any physical access.
The phone might physically be in your hand but, logically in the hand of an attacker makes more sense.
Ways hacker can get into your device
1. SurfingAttack
It is an interactive hidden attack on Voice Assistants Using Ultrasonic Guided Waves.
Voice assistants allow smartphone users to do different activities using a spoken command. And yes the can also potentially let hackers do the same things by bombarding the device’s microphone with ultrasonic waves.
The research was conducted by hiding a remotely controllable attack device where it could send ultrasonic waves through the table to trigger a phone lying flat on its surface. And as a result, they were able to activate your voice assistant placed on the tabletop, leading to read private messages, extract authentication passcode, and many more from the mobile devices.
You can read more about the research here, which worked on worked on 17 popular smartphone models, including ones manufactured by Apple, Google, Samsung, Motorola, Xiaomi and Huawei.
2. SIM card hacking
It is performed by attackers by contacting legitimate user’s phone provider, pretends to be the user, and then asks for a replacement SIM card.
Hackers Hit Twitter C.E.O. Jack Dorsey in a ‘SIM Swap.’ on August 2019 by Phishing method. You can read the full details here!
Once, the attacker successfully replaces your contact number with a new one, the old one gets deactivated and your phone number will be stolen. Once, the attacker has taken over your SIM card, all your phone calls, messages, etc are taken over too.
Simjacker
This is one of the most interesting attacks that does not involve convincing the phone provider.
How does it work?
Simjacker attack_ involves an SMS containing a specific type of spyware-like code sent to a mobile phone. Which on being clicked will instructs the SIM Card within the phone to take over the mobile phone, in order to retrieve and perform sensitive commands._
3. Key Logging
With the advancement of technologies, hackers have now found out new methods to install key loggers in the victim’s device.
When we see some luring attractive or trending apps or software, we often install it in order to explore it. What we do not do is that we never see what the app is doing behind the scene.
**The real question is, Is it really attractive behind the scene too?**If yes then for whom? It could be one of the legitimate apps or it could be one of the tools for hackers to install Key Loggers
Usage of Key Logger
_A keylogger or __a keystroke logger is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer’s keyboard. This includes your valuable credentials too. __What’s worst? _Once a cyber criminal has got hold of confidential user data, they can easily transfer money from the user’s account as well.
One of the way how it could be installed
When the victim opens the file and downloaded it to the device, it gets infected with a Trojan. This can be designed in a way that could be activated once installed and opened, the Trojan can then display a certain notification with a request to re-enter some of your critical information. In the worst case, could be your bank information. Then, the keylogger incorporated in the Trojan would record data entered by the victim, and can later send this data to the cybercriminals’ server. Now, the attacker will have all your bank information without accessing your device physically.
4. Social Engineering
This is one of the well-known attacks that involves the sentiments of the victims. Rather than targeting the device itself, this attack targets the psychology of the victim by encouraging unsuspecting users, employees, or anybody to do confidential work without even knowing that they are being targeted. This leads to the disclosure of confidential information to the hacker.
5. Synchronization
If you think about it, your smartphones are just like advanced storage devices just like a flash drive. We often connect our device in PCs for different purposes. This could be for file transfer, sometimes to charge your device, and many more. Now, this is when some types of malware can jump to (or_ jump from)_your mobile device. Here, you see the attacker does not even have access to your device physically. You have your device but attackers now can have control over it.
6. Buffer Overflow Attack
“If you pour water in a cup more than it’s capacity, it’s obvious to overflow.”
This kind of attack was most common in the web application back then. However, this has also been one of the commonly seen attacks in mobile apps.
What is Buffer Overflow Attack?
It is an anomaly in the application where the program tends to store more data in a buffer (memory store) than its default capacity, causing the buffer to overflow. These vulnerabilities affect data integrity and/or can lead to privilege escalation or remote code execution attacks on devices.
Buffer Overflow vulnerabilities in some common App
- A critical bug was discovered in WhatsApp VoIP, the feature responsible for audio and video calls, allowed an attacker to take over a mobile device, which was reported to be a Buffer Overflow vulnerability.
- Code execution flaw detected and resolved in macOS Catalina, a buffer overflow traced back to the UIFoundation component which could be triggered through malicious text files.
#ethical-hacking #information-technology #cybersecurity #mobile-security #information-security
