Mobile hacking is a versatile field that is on the rise, but how do malicious hackers and cybersecurity professionals approach the subject? This section explores the main techniques for the exfiltration of personally identifying information from mobile devices. The latest methods are explained along with methods of detection and prevention.
As we’ve discovered in previous sections, mobile hacking
is an exciting new field of cybersecurity with extensive possibilities and many points of access. Unauthorized access to communications data, recording instruments such as microphones and cameras, and location data has dramatically altered the cybersecurity landscape. However, attackers still have to find a way to access the target’s device. This section will explore the techniques utilized by mobile hackers to compromise mobile devices and gain access to sensitive information. This includes phishing, old-school voicemail attacks, Bluetooth techniques, physical access, and malicious software.Phishing is a tried-and-true method for many hackers across nearly any platform. Mobile platforms allow phishers to engage with targets in new ways. For example, a hacker can hide a fabricated input form or malware download in a convincing SMS message. The attacker can also leverage social media apps to send malware links or false input forms. If designed properly, SMS phishing can target many users at once and successfully install on a significant portion of them.Voicemail attacks are one technique that harkens back to the days of phreaking and the origins of hacking. Phone companies often select a default voicemail PIN for accounts that have not yet specified one, and these default PIN codes are available online. The hacker then calls the target’s voicemail, references the default PIN code, and gains access to their voicemail account. The hacker can then collect information from voicemails, gain unauthorized access to phone menus, and make unauthorized changes to services that rely on voicemail and automated menus.Bluetooth hacking is a powerful approach for many mobile hackers, but it is not as frequently used as phishing or malware attacks
. Bluejacking is the method of sending unsolicited messages over mobile Bluetooth connections. Bluesnarfing, on the other hand, is the process of collecting personal information on the target though Bluetooth information requests. Bluebugging is the process of uploading malicious data or gaining root access through the same channels as Bluejacking and Bluesnarfing. The Bluetooth
protocol for business cards can be exploited to allow the hacker’s device to access the target’s device directly.A more direct, obvious technique for mobile hacking is a hands-on approach. Attackers with physical access to the device can quickly and covertly install malicious software or make unauthorized connections. However, this attack is not very likely unless the target is high-profile and difficult to access through other means. More likely criminals would simply keep the phone than install malicious spyware and plant it.Most critically, attackers will use malware designed for mobile devices
to exploit smartphones. This includes the infamous SkyGoFree and other spyware designed to collect data on the user. These programs can collect audio through the microphone, record photos and video through the camera, track live location data through GPS, monitor personal communications, and be configured to trigger in specific locations and contexts. Malware is likely the most widespread approach for mobile hacking, and spyware is the most extensive incarnation of this. Mobile malware can be installed through SMS messaging, Bluetooth hacking, online phishing attacks, and many other means.Preventing mobile attacks is a matter of understanding the mind of the attacker. What approaches is a hacker most likely to use? What does your typical phishing message look like, and how can it be avoided? Many of these techniques apply towards preventing attacks on standard desktop computers while mobile computers are no different. Mobile hacking provides a new, exciting context for users, malicious hackers, and cybersecurity professionals.