What Mobile sat down for a chat with Oliver Crofton, ethical hacker and co-founder of specialist security firm Vigilante Bespoke, about the creeping rise in mobile security threats and being taken down by security teams.
So what exactly does Vigilante do? I’ve read somewhere you guys infiltrate buildings pretending to be an employee?
The basis of our business is around information security and that’s separated into three sections.
One of them is for corporations so that’s advising on what we call penetration testing, which is looking from external internet based attacks through to internal employees pinching data. That’s where the physical stuff comes in where we social engineer our way into a building in order to get to a network. So that might be posing as a work experience employee or somebody who has come to check the fire extinguishers, that sort of thing.
Does that work very often?
Yes, the most successful type of attack in that instance is going to a completely cold business that we’ve not worked with in the past – they engage us with very limited information, so they may say ‘Right come and have a go at our building, our head office is at this address’.
What we’d do is look online, find out who the IT director is or someone who works in IT and then set a time. We’d ring up reception posing as the IT director to say ‘Oh I’m running late, but I’ve got a work experience person coming in at 11am, can you stick him in a room and I’ll be there in 20 minutes?”
Then we’d turn up on the site and they’d say ‘Oh yeah I’ve just had a call from whoever it is, come through and I’ll get you ready’, and then we’re in the building and can plug into the network. So yes, it’s quite a successful type of attack.
Do you have to have quite good actors, or do you just turn up?
[We provide] a little bit of training internally but not much, we just literally turn up and people will generally let you in.
A few years ago, we were taken down by security of the building but we obviously carry a letter to say this is a genuine test and whatnot.
Taken down as in, rugby tackled?
Not quite tackling but stopped in our tracks.
And what is the mobile component of your business?
We provide testing and consultancy around mobile, so with this big shift of ‘Bring Your Own Device’ into the marketplace at the moment with employees using their own personal devices for work related matters.
So we advise how to keep your corporate data safe, if a phone was stolen or fell into the wrong hands; we’d take a sample corporate device and pull it apart to see what information we could get off it in the same way a hacker would do if they’ve got hold of a phone.
What sort of information would you be able to get with run-of-the-mill mobile?
It really depends on the security configuration that handset has, it’s things like four digit pincode – if it doesn’t have a lock out clause, you can usually get through every combination of four digit pin code using a password cracker within about five minutes.
Then obviously you’ve got access to the whole handset and invariably they’ll have their email account synced to that handset, there may be passwords cached in the memory of a device, where they’re connected to WIFi networks, or any kind of Exchange password that might be saved on the handset.
It’s amazing how many people still use contacts in their phone book to save pin numbers and passwords, so you can scrape things like that. It’s amazing how much data is on your handset you don’t actually realise.
Any tips for not getting hacked if your phone falls into wrong hands?
On the iPhone for example you can set it to have more than four digits [for a pincode], so if you’ve got a four digit pin code on there, the display on the screen is just for four digits; you can see that it’s limited to four.
Whereas if you make it five, the screen displays it slightly differently so that it’s an unlimited number of digits, and then a hacker would never know how long your password is, the combinations could be almost impossible to guess – something as simple as that.
What other kind of security issues are there for mobile?
Wifi hacking has been around for a while now, with fake Wifi networks – that’s quite a popular hack where people are setting up fake Wifi networks to harvest people’s phone names and try and push malware onto handsets.
So, somebody connects to a false network and is presented with a fake page?
Either false pages or, when you’re logging into Facebook for example on your mobile and you’re connected to a fake wireless network, the way your phone is autenticating with Facebook is using cookies, so the app on Facebook encrypts the cookies.
But if you go to Facebook via the web browser on your handset, the cookies aren’t encrypted so they can be intercepted and then a hacker can log in as you, using a cookie and get access to your Facebook page in the same way that you access it.
How do you avoid falling into that trap?
First of all, I would log in via the app on your handset – try and use apps where possible, because generally speaking the major players, Google, Facebook, Twitter, the app security tends to be better in the way it authenticates through the website.
I personally would avoid using public WiFi networks, I would go over 3G or 4G, just because [with Wifi] you’re effectively using a network that you don’t know who has got access to it, sometimes even if you’re connected to a hotel network, maybe the administrator of a hotel network could be paid off, could be working as a sideline, sending log in details and things.
Physical hacking, Wifi networks and malware – anything else to be aware of for mobile?
Quite a big thing on the Android platform, and some of the apps through the App Store with Apple, but especially Android because the apps are not vetted in the same stringent way that they are with Apple – quite often applications will harbour malware in the background, and potentially either harvest details, when you’re using a handset, to a third party or be monitoring what you’re doing and can be quite nasty.
It’s always a good idea to check how many times an app’s been downloaded previously: if it’s only 25 times or something, then obviously be slightly cautious of that. If it’s been downloaded half a million times, you’ll generally be okay because it would have been caught by then. As a rule of thumb, just download legitimate apps that you’ve heard of in the past and that have got a long history.
Is Android the most insecure operating system?
It tends to be because it’s open source, and it’s not vetted and administered as closely as the other marketplaces.
Does that mean Firefox OS could also have a problem in that area?
Potentially yes, it has the same sort of protocol, same sort of open source methodology behind it, which is great for developers and great for innovation but ultimately you’re relying on people not being nasty or trying to be malicious with the way that they develop.
Is Apple’s store then the best model in terms of app security?
It is, but it’s restrictive on innovation, so whilst the security levels are slightly better and I think there’s a 48 hour checking process for apps, it’s quite difficult to get an app on the app store, just because of the checks that they go through. With Android it’s a lot easier, so it does stifle a bit of creativity but also it helps protect user’s data a bit more.
Just how common are mobile security issues? Do we really need to worry?
I think it’s certainly getting closer, it’s certainly creeping up on us. Companies are starting to sell anti virus now and security software for phones.
I don’t think we’re anywhere near the peak of what’s going to happen, I think we’re still quite early days in the way that the phones operate and the way that the hackers have grasped the idea of getting people’s log in details and things like that.
Once people start using mobile for more banking related activities and start using it for more of a digital or technology life style I think we’ll see more and more instances of nasty attacks happening.
I think one of the reasons it hasn’t taken off so far is because of the data connectivity to handsets but when 4G is properly rolled out, you’ve potentially got much faster connections, so key loggers and things like that could legitimately be used on a handset whereas at the moment trying to get a connection to a handset for a prolonged period of time over 3G or even less, it’s quite difficult.
And for physical and wifi threats?
Yes, I think we’ll see more of that as things develop. I think it’s still quite small, there tends to be heightened amount of fake Wifi networks and that type of attack during high profile events and when there are lot of people around, like last year during the Olympics.
There are lot of fake networks where you’ve got a lot of foreign people coming in visiting a country and wanting to avoid high roaming charges and so they’ll use free Wifi networks where they can and that’s obviously prime [target]. Airports as well are a popular place for fake Wifi networks because people travelling in and out, trying to keep phone bills down.
What’s the most common mobile security issue?
Just from experience, I would say at the moment for the general consumer, you’re looking at downloading apps with malware in them.
Where do you see mobile security issues moving and just how good will hackers get?
Cyber crime is the most profitable crime in the world.
If you take all of the drug dealing in the world, any kind, like cannabis through to heroin, if you add the revenue through all of those different criminal activities, it’s still less than what cyber crime is, what it costs people and what it costs the global economy.
So it’s incredibly well funded and it’s very profitable for hackers to do it, so it’s not an issue that’s going away, it’s only going to get worse, and the likelihood of getting caught as a malicious hacker is very slim, because you can obviously hide behind different countries.
The task force, the police authorities set up to catch hackers are massively underresourced, and to be fair they’re really only interested in national infrastructure, so they’re interested in the hacking of powerstations and road networks rather than ‘Oh I’ve lost £100 from my Natwest account’.
Until the global task force get together and have a collaborative approach, we’re just going to keep playing catch up. The cyber criminals are very well funded and unfortunately the people who are trying to catch them aren’t.
When we investigate a hack,we often get brought in once corporate data has been leaked, or something has happened, where data has gone missing or been stolen. If it goes international, it’s incredibly difficult to try and tie up different jurisdictions around the globe to have a collaborative approach to catch who the criminal is; nobody’s talking to each other at the moment. If the hack happened in America for example and traced back to Africa or Brazil or even the UK, the authorities don’t really like to talk to each other very much and their responsibility stops when it leaves their country.
What was weirdest, most interesting mobile related case you’ve had?
If you rewind 20 years ago one of the most common bugging techniques was using baby monitors so if someone wanted to listen to a conversation they’d stick a baby monitor in one room and they’d go and listen 200 yards away on the other end of the monitor. That’s really low tech and obviously very easy to set up. Today with mobile phones, people are still using quite low tech techniques in order to intercept communications.
There’s this software called mobile-spy.com, you put it on someone’s phone and you can intercept all the text messages, all the call logs, you can see where they’ve gone over Google maps, you can look at the photos they take, you can basically get full access to their mobile phone but you log into a website and see everything in their phone replicated onto this website. That’s quite a common type of software that’s used to monitor both, I hate to say it, within relationships but also maliciously when someone wants to monitor a business competitor or someone they’re in legal conflict with.
Is the ‘no one would bother to hack me’ attitude a dangerous one to have?
Yes, unfortunately it’s a common attitude people have which puts them even more at risk. People should treat their technology in the same way as their physical property – would the same people leave their front door unlocked? Doubtful.
What’s your poison, smart-phone wise?
I at the moment use BlackBerry, but I am going to move away. I was waiting for the release of the new BB10, I’ve got to be honest with you, I’m a bit disappointed with it so I’m unfortunately going to finally go over to iPhone.
Password keeper on the BlackBerry which is going to be a pain when I don’t have it anymore.
If you could have anything attached to your phone, what would it be?
I would have a chocolate fountain.
Self re-filling, obviously?
Yeah, press a button and it pops out the bottom.
And if you could have one person to voice Siri, who would it be?