For criminals, smartphones becoming prime targets
On Monday, benevolent hackers with a cyber-security company called iSEC Partners demonstrated how they were able to capture cell phone calls and texts, along with any other data sent through a Verizon smartphone, using a device called a femtocell that can be purchased for less than $300.
A femtocell is a wireless network extender, a device designed to help people improve poor cell phone service; it effectively serves as a mini-cell phone tower. The iSEC team hacked into the device so that it could pick up the signal from phones in a 40-foot radius and capture its data - including, say, the password you type in when doing your online banking or sensitive corporate emails.
Verizon said it has since fixed the problem. But Tom Eston, Manager of Profiling and Penetration at information security company SecureState, said the hack likely represents the tip of the iceberg.
"I would suspect that vulnerability is present in other carriers and even other devices from Verizon," he said. "It's really a much broader problem and [carriers] really don't have a good handle on it." (Verizon said the problem had been patched on all of its devices.)
In the past, he said, hackers could set up rogue cell phone towers to attempt to capture signals and hack into phones, but it was expensive and exploited now-outdated technology. "The only people who could really do it is state-sponsored governments," he said. "It's really become much more practical and easier to do now that we have this new technology."
"Building a tower isn't exactly portable," he added. "This you can place anywhere."
Eston pointed to the possibility of a spy with a femtocell sitting next to a CEO of a company in an airport and capturing his or her calls, texts and data, or a criminal walking through a crowded street and picking up data from hundreds of oblivious smartphone users.
"Criminal gangs will definitely be on this very quickly," he said. "A lot of the same people that are involved with credit card fraud, check fraud, ATM skimmers, this is a new type of attack that we're starting to see those kinds of groups lean to."
In the wake of the PRISM revelations, I asked Eston whether the U.S. government might hack into phones using a femtocell.
"They probably don't have to hack cell phones with the trove of data they have with the NSA," he said. "I'm sure there is some hacking going on depending on the situation but they've already got a lot of this information at their fingertips."
For some foreign governments, however, cell phones are tempting targets. When a smartphone connects to a foreign carrier, that carrier can automatically push updates to that phone - updates that could include malware that offers those governments a backdoor to track the owner and records his or her data.
"We've heard reports of that happening with android handsets in foreign countries," said Eston. "I've seen and talked to people that were over in China and they said they were getting strange updates on their phone."
And then, of course, there are the more traditional ways of gaining access to mobile phones. That can mean stealing them and accessing data after bypassing past weak or nonexistent passwords. It can also mean sending someone a link that they click on that installs malware on their phone.
Part of the problem, Eston said, is that people don't think about their cell phones the way they do their computers - they aren't running smartphone antivirus software, which Eston acknowledges is "still very immature."
"Most people just feel that there's no risk on their phone," he said. "That's definitely not true."
"Just like your computer or anything else, be very careful what you choose to put on your cell phone or what you say or what you message because there is a risk that it could be intercepted," he said. "People need to be aware that passwords, credit cards can be stolen without their information, and there's not a lot they can do about it right now."