Smartphones under Attack

Malware and weaknesses in communication network protocols enable attacks against smartphones. Locating, eavesdropping and monitoring are among the objectives of such attacks. A peek into the world of tactical protection

Smartphones under Attack

Illustration: Bigstock

Over the last few years, smartphones have evolved into one of the primary devices for conveying and receiving information, be it digital information shared through the Internet and social media, cellular applications or voice communication. In the world of information, smartphone switchboards make smartphones into prime targets for organized crime groups, intelligence services, hackers and companies involved in business intelligence.

Attacks against smartphones are diversified and include direct attacks staged by installing software or hardware in the actual device, or attacks staged through the cellular network while exploiting inherent weaknesses in the various communication protocols – including the SS7 protocol.

Protecting Two Worlds

One of the companies that develop protective products for smartphones is Vaulto, a member of the Netline group. They offer a solution for direct threats to the device as well as to threats from the direction of the communication vendor (through the SS7 network). "The cellular phone is a computer that is vulnerable to threats," says Ilan Friedman, VP Business Development at Netline and currently in charge of Vaulto. "The difference compared to a PC stems from the fact that with the smartphone, each application runs on a separate VM. In other words, if you failed to Root, even an application attempting to provide protection will not have access to the various other applications.

"Some products can identify an attack even in a scenario of this type, and that includes the products of several Israeli companies that are doing a fine job in this field, but even a good protective tool will be restricted by definition. The malware can reach the device through phishing and install a Zero-Day based attack tool. As part of our solution, we assume that a determined attacker will be able to pass through the prevention systems, so we provide a solution that includes traps and other elements for the early detection of malware that had reached the smartphone.

"Apart from being a computer, a smartphone is also a telephone. The implication of this fact is that the device is vulnerable to another vector of attacks such as Man-In-The-Middle (MITM) attacks with the attacker posing as a base station. These systems intercept voice or data communication. Several Israeli companies are involved in this field. In most cases, the product resembles a suitcase or a bag capable of intercepting traffic from the smartphone in various ways, including volumetric monitoring with the user completely unaware. Some of these systems cooperate with the creators of Trojan horses and serve as a contagion device. They are regarded as tactical systems.

"Alongside these systems, there are systems based on the cellular network itself. These systems are linked to the communication operators. They are installed in the global telephone network and through the global switching system they can locate the user, monitor his device and pick up messages and chat correspondence.

"In the past, access to the telephone networks was the exclusive domain of major cellular vendors and government intelligence agencies, but in recent years things have changed and now civilian companies around the world have access to the global network. One familiar example – the companies that serve as virtual operators in the cellular network. Other companies obtain similar access, and based on that access they develop tools which they sell to governments so that they may intercept traffic from communication networks in other countries."

Rigidized Phones

In order to provide protection against attacks against cellular telephones, some of the companies that emerged in recent years offer rigidized devices. These devices restrict the options available to the user in favor of enhanced information security. The problem with these devices involves the difference regarding the user experience.

"When a CEO or a senior executive purchases a rigidized phone, he/she wants to have the same user experience as the one provided by his/her standard device, the experience he/she is familiar with," explains Friedman. "In reality, however, the user experience of a rigidized phone is different from that of a standard device. Security officers and information security specialists do not like rigidized phones as the employees complain about them – particularly executives, whose time is worth a lot of money. Users do not have patience for the rigidized phones, which change their user experience. Consequently, in most cases, people use two devices – a rigidized phone and a standard phone. But what good will two devices do if I am using volumetric monitoring on the standard device? Additionally, over time, the user neglects to keep the different environments separate.

"Our solution is fitted as a dialer on the user's standard phone and does not require the cooperation of the cellular operator in order to prevent locating. You must understand that if you have a permanent phone number and the opponent knows this number, unless you have protective measures like the one we offer or of the same type, the opponent will be able to locate you anywhere in the world. That is why terrorist and criminal organizations use 'disposable' phones, namely – they purchase a number of SIM cards, and regard them as disposable: once the card has been used, it will be discarded. In this way, they avoid being spotted by the security services.

"We solve this problem by separating the user's identity in the cellular network from the one in the cellular device. The user's original SIM card is pulled out of his/her device and he/she starts using another, temporary SIM card fitted into his/her device, to communicate, through an encrypted medium, with servers that transmit the call to the subscriber at the other end. The temporary SIM card may be replaced periodically so that no one can 'study' it, and this can be accomplished automatically and remotely. In this way, the calls are not transmitted from the Modem in the user's smartphone, but from a remote server.

"Another advantage is the fact that calls between system users are encrypted by the server from end to end. If only one of the parties is connected to the system, then the part of the conversation between that party and the server will be encrypted and the other part will not. Even in this case, the other party will see my original number. As far as the user is concerned, he/she will always receive an indication as to whether the call is encrypted from end to end or only as far as the server, and he/she will choose what to say and what to omit. With this solution, attacking me tactically will be difficult. If someone should come over with a suitcase and monitor the communication traffic between my device and the server, they will not be able to hear anything. It will not be voice communication traffic – just an encrypted datalink.

"In the event that the datalink fails to function and only a voice communication link is available, the server will transfer the call to the subscriber along with an indication to the effect that the call is not being encrypted. We designed the service so that the subscriber will never miss a call. He/she will receive an indication as to whether the call is being encrypted or not, and along which segments of the line, and will choose whether to accept the call and what to say during the actual conversation."

"The Objective: to Raise the Cost of the Attack"

"In order to attack me successfully and monitor my conversation, the attacker has to monitor the telephone communication medium between the server transmitting the call and the smartphone of the party receiving the call," says Friedman. "Even if they managed to do that – which is far from simple – the attack will only succeed if the other side is not a subscriber to our service, and consequently the segment between the server and that party will not be encrypted. In cases where the segment between the server and the other party is not encrypted, the user of our serve will receive an indication to that effect through his/her dialer.

"There are other end-to-end encryption solutions in the market, but most of them require that both parties be subscribers to the service. The advantage of the server in the middle is that the segment between the subscriber and the server is always encrypted, even if the other party is not a subscriber to the service. There are other solutions that will alert you to the presence of a fake cellular cell in the area. Such solutions, which we have examined, necessitate the use of methods that might be supervised by the Ministry of Defense. We do not do that. All of the elements of our solution were developed so that it would not be supervised and would not inconvenience the user."

 With tactical systems, the attack is initiated by identifying the subscriber's IMSI (International Mobile Subscriber Identity). With the solution offered by Vaulto, the attacker cannot find the user's IMSI as the original IMSI is not inside the user's smartphone. At the same time, in the case of an intelligence agency that tracks the subscriber, they can understand that there is a gap between the locating data for the smartphone and the actual location of the user, so they might start investigating what that gap means. "These organizations should employ HumInt resources and invest quite a lot in order to monitor or locate the subscriber," explains Friedman. "Everyone knows that there is no such thing as full-proof protection. The objective is to raise the cost of the attack up to a point where it will no longer be worthwhile for the attacker.

"Our solution makes it possible to deploy such servers around the world and route the subscribers according to their preferred locations, even without the cellular operator's cooperation. If the cellular operator cooperates, we will be able to provide a more advanced solution. Cooperation with the cellular operator makes it possible to dynamically manipulate my location in the world, thereby making life even more difficult for the attacker. We can provide additional capabilities. We are currently engaged in a trial with operators in Israel and worldwide around such a solution."