Monday, April 05, 2010

Graduate Students Hack Your Cell Phone...

Being on multiple cybersecurity email lists, I'm sometimes fascinated by what's happening out there. This morning, I was notified about how a group of graduate students from Rutgers University, working under a grant sponsored by the National Science Foundation, were asked to take a smart phone platform commonly used by software developers and develop malicious applications that a user may not even notice.

Witness your tax dollars being put to work...

Suppose you're a criminal who wants to surreptitiously monitor someone's every move and even eavesdrop wherever they take their phone? Yes, as it turns out, there's an app for that, too.

Few smart phone users realize that the same characteristics that make these devices so useful can be can be hijacked and used against them...

The team decided to inject software components known as rootkits into the phone's operating system. Rootkits are a particularly devious threat to a computer, because they attack the operating system itself. Traditional antivirus software, therefore, may not be able to detect them because they don't appear to be stand alone applications or viruses. Most desktop computers are protected from rootkits by something known as virtual machine monitor, but because of their limited size and limited energy resources, smart phones don't deploy these monitors, making it very difficult to know a rootkit attack has taken place.

Once the rootkits were in place, the researchers were able to hijack a smart phone by simply sending it a text message. This allowed them to do things like quietly turn on the device's microphone, enabling them to hear what was going on in the room where the phone had been placed. Another attack trained the phone to use its GPS capabilities to report the phone's exact location without the user's knowledge. By turning on various high-energy functions, the team was even able to rapidly drain the phone's batteries, rendering it useless.

It's important to stress that the Rutgers team presented their results at a conference, and even posted a webcast. This demonstrates how there was no malicious intent on their part and justifies the notion of their hacking efforts being for research purposes only.

The dirty little secret in cybersecurity circles is that, in order to defend against hacking threats, wannabe experts must learn how to hack themselves. Courses are routinely taught on the subject, systematizing certain practices that could potentially be used in, shall we say, an unethical manner.

But don't let stories like this one - about respectable researchers - frighten you. Like guns, hacking doesn't destroy things; people who hack do.


Post a Comment

<< Home