If you click a single “bad” link, a hacker could gain full control of your mobile device — without you ever knowing anything is wrong. Sounds impossible? It’s not. Sounds scary? It is.
But don’t panic just yet.
As Technology Review’s Tom Simonite explains, the method used to gain full remote control of a mobile device was demonstrated during the RSA security conference recently. Members of a security startup called CrowdStrike showed that as long as they could trick someone into following a link from his mobile device, they would be left with the ability to record his phone calls, intercept his text messages and more.
The security attack relies on exploits in WebKit, a browser component which is at the core of many mobile Web browsers — including those on Android, iOS and BlackBerry devices. The method used is very targeted and it isn’t particularly likely you’ll find yourself a victim of it.
But it’s pretty darn devastating to understand just how vulnerable you are. To illustrate that point, CrowdStrike’s George Kurtz and his colleagues used an unmodified Android device to show how an attack might play out:
Kurtz, playing the role of a busy investor at an industry event, received a text message claiming to be from his mobile carrier asking him to download an update to his phone’s software. When he clicked the link in that message, the phone’s browser crashed and the device rebooted. Once restarted, the device appeared unchanged, but a silent, malicious app had been installed that relayed all his phone calls and text messages to the attacker, who could also track his location on a map.
The “silent, malicious app” installed on Kurtz’s device is actually a hard-to-detect “rootkit” — software which is invisible to a lot of security tools, according to Simonite.
The way to prevent individuals from being victims to it — or similar attacks — involves frequent updates of mobile operating systems, in order to patch security exploits before someone with malcious intent can take advantage of them. Unfortunately, that’s not always an option, as Simonite explains:
[D]oing that is far from easy, because wireless carriers, device manufacturers, and mobile operating system providers must all be involved. As a consequence, most mobile devices today receive updates very rarely.