Our reliance on mobile phones has soared to unprecedented heights. We entrust them with everything; from banking to booking holidays, because of this the amount of personal data they hold can be frightening. In this blog post the profound effects of an attack on our devices is explored. Fortunately, the rise of full device encryption offers a glimmer of hope.
Hardware backed data encryption has been increasingly relied upon due to its security and efficiency, it bases its workings on dedicated hardware modules like the Trusted Platform Modules (TPM’s) and Secure Enclave Processors (SEPs) to accelerate and fortify encryption algorithms [4]. These components are used in unison to encrypt and decrypt strings passed from software levels. The whole development of publicly accessible ‘unbreakable’ encryption has however been a major taking point for a while now [6], with the main argument against it being that it can be used for nefarious purposes. The idea being that criminals can use it to communicate with each other securely, making eavesdropping on these conversations much more difficulty for the authorities to do. However, being opposed to the free use of these strong encryptions opens the public to many possible privacy violations, apart from being an overreach into the personal lives of the public as reported by some [5].
The concept of complete security for mobile devices has previously been seen making headlines, likely for different reason than expected. ‘EncroChat’ was a communications network and service provider that sold modified phones to security conscious buyers, these devices were off the shelf phones running custom Android versions created for security. They were up taken mostly by criminals, of which many ran and coordinated multi-million-pound drug empires [7]. This empire fell apart when this supposedly secure communication network was taken down and completely compromised by a joint effort by Europol, French, Belgian and British Police [8]. The primary issues that helped take down the infrastructure was the poor operational security of the project- something that should be a critical consideration in any privacy focused venture. Especially one that based its entire operation and main selling point on it.
Another important consideration within the realm of security and privacy is that both IOS and Android are vulnerable to malware or other attacks. The concept of mobile phone malware is nothing new. In the early 2000’s Nokia phones running Symbian OS, were vulnerable to a worm-based Bluetooth attack [1] which was a large issue as Over-The-Air (OTA) software updates weren’t introduced until much later. These OTA software updates make it easy to push security patches to devices all over the world in seconds.
However as with any security issue there are always bugs that go unreported or hidden. This was something that NSO groups spyware project pivoted its operation on. Code word ‘Pegasus’, was a ‘spyware’/’remote access tool’ type malicious application that was able to completely compromise selected Apple IOS device through ‘clickless’ means (no user interaction needed). The malware has gone through multiple iterations utilizing different vectors of infection, as some versions analyzed used rogue cell towers to infect devices and others used malicious text messages that disappear. Both vectors are used to initialize a network injection, which redirects an unsuspecting user to domains which download part, or all of the payload silently. Work was performed to reverse engineer this suite of exploits that ‘Pegasus’ utilizes by Amnesty International who published their full findings [3] in the hopes to curb the use of malware to spy on journalists and other public figures, often putting their lives in danger with corrupt governments [3].
Successfully compromised devices are reported to run a process in the background called ‘bh’, this process is then likely used to gain persistence on the device, letting it stay on after rebooting. The vulnerability that was leveraged for one example of the malware exploited was a poorly integrated JavaScriptCore binary which allowed the malware to achieve code execution on the device. This was then likely used to download the rest of the malware or even potentially keep it updated. A device in this state can be fully controlled by the command-and-control center- every aspect of the device can be silently eavesdropped on. The software took to extreme lengths to be as stealthy as possible for example by disabling the upload of crash logs to Apple, truly creating a normal experience for the end user and tricking them into blindly trusting their now compromised device.
This means that under a microscope mobile phones are no different from computers, with this come many vectors of exploitation that intersect between modern phones and computers. Meaning the same courtesy should be applied around their handling and usage, as at the end of the day they are only as secure as the person using them wants to be. This also helps to raise awareness for how secure our devices really are, likely much less than we really think.
Unfortunately, there is little anyone can do to truly become secure, however using good cyber etiquette like backing up and not re using passwords should be enough [9]. There is little action that can be taken to prevent the likes of ‘Pegasus’, however keeping devices up to date and only installing from known sources like Google’s Play Store or Apples App Store can only help.
In conclusion, mobile phones are likely underestimated in their power and thus, likely misused due to the amount of trust we place in them. Their security has been improving greatly but we still need to apply all the same principles and precautions we use when using conventional computer systems.
[1]N. Bene, “10 years since the first smartphone malware – to the day.,” eugene.kaspersky.com, Jun. 15, 2014. https://eugene.kaspersky.com/2014/06/15/10-years-since-the-first-smartphone-malware-to-the-minute/" (accessed Jun. 30, 2023).
[2]P. Morris, “This Text Message Can Crash, Reboot Any iPhone Instantly | Redmond Pie,” Redmond Pie, May 27, 2015. https://www.redmondpie.com/this-text-message-can-crash-reboot-any-iphone-instantly/" (accessed Jun. 30, 2023).
[3]Amnesty International, “Forensic Methodology Report: How to Catch NSO Group’s Pegasus,” www.amnesty.org, Jul. 18, 2021. https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/" (accessed Jun. 30, 2023).
[4]Dansimp, “How Windows uses the TPM - Windows security,” learn.microsoft.com, Feb. 27, 2023. https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm (accessed Jun. 30, 2023).
[5]L. Clark, “Proposed UK moves to break encryption draw anger of IT world,” www.theregister.com, Apr. 18, 2023. https://www.theregister.com/2023/04/18/wrong_time_to_weaken_encryption/ (accessed Jun. 30, 2023).
[6]UK Parliament, “https://bills.parliament.uk/bills/3137,” Jun. 22, 2023.
[7]R. Kennedy , “EU authorities penetrate phone network in huge organised crime sting,” euronews, Jul. 02, 2020. https://www.euronews.com/my-europe/2020/07/02/encrochat-european-authorities-compromise-phone-network-to-arrest-untouchable-criminals-in (accessed Jun. 30, 2023).
[8]EuroPol, “Dismantling of an encrypted network sends shockwaves through organised crime groups across Europe,” Europol, May 01, 2020. https://www.europol.europa.eu/media-press/newsroom/news/dismantling-of-encrypted-network-sends-shockwaves-through-organised-crime-groups-across-europe (accessed Jun. 30, 2023).
[9]National Cyber Security Centre, “Cyber Aware,” www.ncsc.gov.uk. https://www.ncsc.gov.uk/cyberaware/home (accessed Jun. 30, 2023).