For twenty-five years now, hackers have been continuously sounding the alarm: our private life, privacy, the right to anonymity, the right to confidentiality of correspondence are being attacked, and more and more intensively every year. The era of total control is already on the doorstep, but most people are not worried about it - even Snowden's stunning revelations are perceived by the broad masses as an ordinary passing scandal from some guy. What is left for us hackers? Inform. More and more sophisticated threats are discussed at security conferences - we have selected ten reports that focus on the latest trends in mobile espionage.
1. The gyroscope that listens
Source: Gyrophone: Recognizing Speech From Gyroscope Signals // Black Hat 2014Modern smartphones are equipped with a variety of sensors that enable a rich user experience. They are generally useful, but they can sometimes (inadvertently, of course) divulge sensitive information. The privacy risks associated with sensors such as microphone, camera and GPS are obvious and well understood, but it turns out that a gyroscope with an accelerometer can also be dangerous, because even a Java applet on a website can measure and store the readings of these sensors.
What is the threat? Access to the gyroscope and accelerometer allows you to: identify the user by his walking pattern (obtained from the smartphone's accelerometer), read characters entered from the keyboard next to which the smartphone is lying, and even listen to conversations without access to a real microphone - using the gyroscope as a rough microphone. Detailed instructions on how to do all this are in the public domain.
2. The battery that knocks
Source: Battery Firmware Hacking // Black Hat 2011"Battery? Are you serious? Guys, what are you doing, what does the battery of my cell phone have to do with it?" Okay, okay, calm, let's start from afar.
Have you ever wondered how your cell phone battery will know when to stop charging it - if it is connected to the network, but the cell phone is turned off? The fact is that a modern battery has a built-in microcomputer that communicates with a charger and a mobile phone. A smart battery, or rather its built-in "smart battery management system" (SBS), can be completely reprogrammed.
Initially, such a possibility was provided so that the SBS could more accurately measure the parameters of the battery and more adaptively adjust the charging algorithm (depending on chemical and other characteristics). If an attacker manages to change the operation of such an internal microcomputer, this could lead to overheating of the battery or even to its fire. Also, an attacker who possesses access to the smart battery's microcomputer will be able to monitor trusted operations with the smartphone's cryptochip (since the battery communicates with the operating system via a "trusted channel").
3. Tell me how much power your phone consumes ... and I'll tell you where you are
Source, instruction manual: PowerSpy: Location Tracking using Mobile Device Power Analysis // 24th USENIX Security Symposium. 2015. P. 785–800Modern mobile platforms such as Android allow apps to know the total energy consumption of a smartphone. This information is considered harmless and therefore does not require root user rights to read it.
What is the threat? By simply reading the cumulative energy consumption of a smartphone for a few minutes, the user's location of that smartphone can be determined. Aggregate phone power consumption data is extremely noisy due to the many components and applications that consume power at the same time. Nevertheless, thanks to modern machine learning algorithms, it is possible to weed them out and successfully determine the location of the smartphone. Detailed instructions on how to do this are in the public domain.
4. Wi-Fi reads lips
Source: We Can Hear You with Wi-Fi! // IEEE Transactions on Mobile Computing. 2016. Vol. 15, No. 11.P. 2907-2920Wi-Fi signals can "see" the movement and location of people and "hear" their conversations - even those who do not have any electronics with them. This becomes possible thanks to advanced radio mapping techniques: coarse-grained radio mapping allows you to “see”, and fine-grained radio mapping even allows you to “hear” (moreover, several people at once).
The case of Wi-Fi vision is more or less clear and therefore not so interesting. As for "Wi-Fi-hearing", the secret here is in the profiling of the movement of the oral cavity. At the same time, the Wi-Fi signal captures the characteristic position not only of the lips, but also of the teeth and tongue. In addition, since radio signals travel through walls and other physical obstacles, Wi-Fi can “hear” conversations even behind a wall. To do this, the Wi-Fi signal only needs to find the person's mouth without confusing it with a blinking eye. But this task is quite solvable. Detailed instructions on how to tame Wi-Fi (using machine learning and wavelet transforms) are in the public domain.
5. The electromagnetic field is still pale
Source: A Reliability-Augmented Particle Filter for Magnetic Fingerprinting Based Indoor Localization on Smartphone // IEEE Transactions on Mobile Computing. 2015. Vol. 15, No. 8.P. 1877-1892Indoor localization by fixing an electromagnetic field (electromagnetic fingerprints) by a smartphone is a widely discussed technology in recent years. It is based on the fact that inside different rooms the magnetic field differs depending on natural and artificial factors: the design features of the steel or reinforced concrete frame, the design features of the electrical network, and so on.
Thus, each room has its own unique electromagnetic fingerprint. Corresponding magnetic field profiles can be used as fingerprints for indoor localization. Indoor electromagnetic localization is gradually replacing Wi-Fi radio mapping, since it is less energy consuming. After all, nothing but a smartphone is needed to fix the electromagnetic field. And you don't need to generate this field - it already exists. Whereas Wi-Fi radio mapping requires multiple Wi-Fi signal receivers and transmitters.
Critical comment from 84ckf1r3
Most often, the methods described above lack precision for practical implementation. They are counteracted by strong noise, low sample rates, and other physical limitations. Machine learning and filtering techniques are also not omnipotent. For example, now by analyzing the propagation of signals from different Wi-Fi access points, it is possible to determine the number of moving people behind the wall. Immobile people often merge with furniture. It is possible to estimate the height of people detected in this way very approximately, and their articulation is physically impossible. Not enough resolution.The battery management system is too primitive to force it to compromise the cryptographic keys of a smartphone. After all, a microcontroller is not a universal microprocessor that can theoretically be forced to execute any set of instructions.
In other words, it is extremely difficult to take all this beyond the proof-of-concept - "Mathematical Theory of Communication" and other books by Shannon seem to hint to us that it is impossible to recover a complex signal (with high entropy and frequency) by analyzing side simple signals. For example, by the sound of the wheels of a train, you can get an approximate idea of its speed, but you cannot find out which radio station a passenger is listening to from the third compartment in the fifth car, what is the contents of his luggage, and whether there is any at all.
6. RFID beacons - an old threat in a new way
Source: Extreme-range RFID tracking // Black Hat 2010It's no secret that RFID, these tiny computer chips that are now smaller than a grain of sand, are one piece. How do you like the robbers who walk in the city center with a scanner and look for the microchipped documents of citizens from rich countries in order to rob them? But this is already a reality, because with the help of inexpensive special equipment RFID can be read from a distance of twenty meters.
The owners of retail chains can also feel like they are among the first violins at the holiday of total espionage, because they have every opportunity to monitor you - thanks to the RFID beacon, each item of the product has a unique identifier. This identifier can be easily linked to the customer. For example, to identify a "frequent customer" when scanning his credit card.
RFID chips can be read from a distance, right through your clothing, wallet or backpack - without your knowledge or consent. We consumers cannot know which products have these chips and which ones do not. RFID chips can be hidden well. For example, they can be sewn into the seams of clothing, located between layers of cardboard, molded in plastic or rubber, and integrated into the design of consumer packaging. In addition, the antenna required for these chips to operate can now simply be printed with conductive ink, making RFID chips virtually invisible. Some companies are even experimenting with packaging design that will be an antenna in itself.
As a result, soon the consumer will not be able to find out whether the purchased product has an RFID beacon or not.
7. Ultrasonic conspiracy: uBeacons
Source: Talking Behind Your Back. Attacks & Countermeasures of Ultrasonic Cross-Device Tracking // Black Hat 2016The Ultrasonic Tracking Ecosystem (uBeacons) is a relatively new technology that uses audio beacons not audible to the human ear to track users and devices. uBeacons are high frequency audio beacons that are detected by most commercial speakers and microphones. This ultrasound is the holy grail of marketers as it tracks user activity across devices.
For example, knowing that Uncle Vasya just watched a TV ad and is already surfing the Internet from his smartphone (to find a birthday present), an advertiser can show relevant contextual advertising. uBeacons can be embedded in websites or TV ads and can be collected by advertising SDKs embedded in smartphone apps. A favorite among marketers of uBeacons is that it delivers highly accurate ad targeting without requiring any user action. However, this requires the uXDT framework to be installed on the user's mobile device. The essence of the uXDT framework is that appropriate audio beacons are embedded in mobile applications to monitor what the user is doing.
At the same time, the developer of a mobile application may not even know that such a beacon is hidden in his project. This can happen, for example, when he used a "free SDK" while developing software, where the developer of this SDK, for the sake of income, built an ultrasound module into his library. Advertisers use uXDT to target users as follows.
- First, the advertiser launches an ad with ultrasound elements: either on TV or on the website.
- As soon as the ad is displayed, a short sequence of high frequency (ie ultrasonic) tones is emitted from the device speaker. This high-pitched tone is immediately captured by the uXDT framework on the user's smartphone.
- To provide this functionality, the uXDT framework runs in the background and periodically accesses the device's microphone to listen for ultrasonic signals.
8. The enemy from the refrigerator (and bookshelf)
Source: Supermarket Cards: The tip of the retail surveillance Iceberg // Denver University Law Review. 79 (4), 2002. pp. 534-539, 558-565.In 1999, the University of Massachusetts initiated the Auto-ID project, the goal of which was to create a "physically connected world" where every element on the planet is inventoried, cataloged and tracked. There are now 0.3mm RFID beacons that are as thin as a human hair. They can easily be placed in banknotes, which gives intelligence agencies the ability to track the history of monetary transactions. This initiative eliminates the anonymity of the exchange of cash.
"Refrigerators that report their contents to the supermarket." “Interactive TV that selects ads that are relevant to you” (for example, based on the contents of your refrigerator). All this is the reality of our days. Auto-ID, when combined with RFID scanners installed in bookshelves (called smart shelves), can provide comprehensive information about the behavior of potential consumers. Moreover, sometimes such RFID scanners are installed in interior items even without the knowledge of the end user.
Do you have a single RFID microchip at home and in your purse? You are a suspicious guy, a potential terrorist.
Today, government intelligence agencies are seriously thinking about digitizing all the vital activities of every person and tracking them in real time "in order to counter terrorism" (well, as usual).
See what smart people write on this topic:
9. The secret life of your SIM card
Source, operating instructions: The Secret Life of SIM Cards // DEF CON 21.2013A SIM card is a mysterious little computer in your pocket that is beyond your control. A SIM card can do much more than just act as an intermediary for authorization on your mobile. The simplest applications can be downloaded and executed directly on the SIM-card - separately from the mobile phone, without even knowing what operating system is on the mobile phone. These applications can:
- go to URLs;
- send SMS;
- initiate and receive calls;
- connect and use information services;
- run AT commands on a mobile phone.
10. Mobile Trojans, or old technologies still in service
Source: Surrounding RealityNew technologies are sweeping the planet without canceling the tried-and-true classic - malware.
There are several dozen spyware programs that can be remotely installed on a mobile phone in "quiet mode" and spy on its owner without revealing its presence. It was previously believed that by adhering to the so-called cybersecurity hygiene, you can reliably protect yourself from such interference in your personal life. However, today, even those who avoid risky behavior on the Internet, who use the most modern protection and the most recent software updates, can become victims of mobile espionage.
With the latest protection, some spyware can be tracked down. However, in order to keep these protections up to date, you need to be able to configure them. After all, attackers, just like security guards, do not sit still and make significant efforts to hide their programs from automated defense systems. At the same time, it becomes more difficult to set up protection over time, and it becomes easier to carry out successful attacks. Including because, at the suggestion of Western intelligence services, the most modern information technologies are now in the public domain. As a result of such a policy of openness, the risk of high-tech toys being used by unpredictable and impulsive young people who have seen enough films about hackers increases.
It is believed that the widely advertised leaks of high-tech toys by the CIA are not at all a demarche by Snowden and WikiLeaks, but a controlled leak of information intended to direct competitors in the "arms race" in a knowingly losing direction; so that they continue to invest time and money in tools that no longer provide a competitive advantage. Cyber operations and infocentric wars are no longer the key to it. Today, the ball is ruled by knowledge-centric wars, the essence of which boils down to the fact that "people are broken by professionals, not machines."
Thus, we are witnessing an ever-increasing exponential asymmetry in cybersecurity: attackers are in better conditions than defenders. The annual growth of mobile threats is 42%. Below are a few examples of spyware that is distributed as legal - under the guise of so-called parental control systems and the like. All of them hide their actions from the owner of the mobile phone.
Neo-Call Spy. Originally designed for Symbian, now also works on iPhone, BlackBerry, Android, Windows Phones. Sends information directly to another mobile phone. This program is based on the IMEI number, which means that the attacker must know his target. The program monitors SMS, call list, location; remotely listens, logs keystrokes. She receives commands from the manager's mobile phone in hidden SMS messages.
Mspy. Works on smartphones and tablets. Allows you to track calls, SMS, emails, GPS location, browsing history, calendar, address books, IM messages; allows you to manage installed applications, view multimedia files. It also has remote control features such as complete device erasure and detailed reporting. To collect and provide information, he uses a secure Internet account - using a client-server architecture, with a web interface.
FlexiSpy. This program was originally classified as a mobile Trojan due to its aggressive behavior; but then it began to behave more gently, and it was removed from the category of mobile Trojans. It allows you to spy on mobile phones and tablets. Offers about 130 functions, including those with which the Mspy is equipped. Unique functions: access to a video camera, wallpaper viewing. Just like Mspy, it uses a secure Internet account to collect and provide information - using a client-server architecture, with a web interface.
Mobile Spy. Provides most of the FlexiSpy features; in addition, it can block applications, install new applications and interact in real time with the control panel of the mobile user interface.
Higster Mobile. An easy-to-use monitoring program: text messages, recording of telephone conversations, call logs ... everything is sent from the victim's phone to either email, cell phone, or a secure internet account.
All-in-one Spy Software. High quality mobile spy software, developed since 2006.
Spyera. A program installed on a smartphone to control everything that happens on a mobile phone. Secretly records all events (SMS, call history, phone book, location, emails, app messages, IM, Facebook chat, Skype and more) that happen on the phone and delivers this information to a secure web account.
SpyMaster. The most efficient and advanced mobile spy software. 100% hidden mode, leaves no chance of being detected. At least that's what the developers say.
