June 18, 2019

Apple’s reputation for top-knotch device security took a hit today when an Israeli forensics firm confirmed it could break into any iPhone or iPad, running any version of iOS.

The company Cellebrite develops equipment for law enforcement and the military that lets them unlock and gather evidence from devices owned by criminal suspects.

Some of its devices have been found online selling for as little as £60.

In many cases the handheld hacking machines hadn’t been properly decommissioned, so the police departments or other individuals who acquired them are flogging military-grade kit without doing a data wipe first.

Cybersecurity researchers are now warning that valuable case data and powerful police hacking tools may have leaked as a result.

According to the company website, Cellebrite provides ‘a solution for law enforcement agencies to extract crucial mobile phone data from any iOS or high-end Android device.’

It claims its devices can work out passwords and unlock any Apple device, giving the user access to 3rd party app data, messaging chats, emails and attachments, deleted files, and more.

One cybersecurity researcher was able to buy a dozen of Cellebrite’s premium UFED devices online and probe them for data.

He found information identifying devices that had been searched, when they were searched, and the kinds of data that had been deleted.

Unique handset identifiers such as mobile phone IMEI codes were also retrievable.

When White Hat kit falls into Black Hat hands

Law enforcement needs tools to crack PCs and phones as they can provide crucial evidence for criminal proceedings.

Most applications of the technology happen under the supervision of the courts. The problem is that sometimes that software and equipment leaks out beyond approved channels.

  • The WannaCry ransomware that exploded on corporate systems in 2017 was created in North Korea, but adapted from powerful spying software developed by (and leaked from) America’s own National Security Agency (NSA).
  • The recent WhatsApp zero-click attack against civil rights campaigners has been blamed a company that works with Israel’s intelligence service.

Mobile devices are increasingly targeted by cybercriminals. If they can get their hands on the most sophisticated tools available, accessing valuable personal information gets much easier.

Amazon boss Jeff Bezos had his personal smartphone hacked by (reportedly) the Saudi government. Private images and texts were stolen, then leaked them to US supermarket tabloid The National Enquirer.

While the world’s richest man has the resources to make hacking his phone harder – paying for additional encryption, using disposable ‘burner’ phones when travelling, or regularly replacing devices in order to reduce the risk that they’ve been compromised – ultimately, the security protections available for smart phones are pretty much the same for everyone.

In the wrong hands, a powerful hacking tool like Cellebrite’s smart phone cracker could do a lot of damage, and ruin a lot of lives.

How to protect your mobile phone data

Powerful military-grade hacking devices purchased on eBay make spectacular headlines …

but they aren’t the only – or even the biggest – worry when it comes to mobile phone security.

Access to mobile devices can be gained via a phishing message, for example, with links to a new form of malware capable of getting around the phone’s defences. The latest mobile malware can even hide its signature behaviours inside the normal workings of a phone’s operating system.

So while you may not be able to catch every iPhone breach, most mobile device hacks exhibit tell-tale signs that a trained user can pick up on quickly. For example:

  • An odd spike in data usage. The average amount of data people use each month tends to be pretty consistent. If you notice that data usage has spiked or you’ve started exceeding your data allowance it could indicate that the phone has been compromised.
  • Weird background noises during phone calls or listening to music or video could be a sign of malware infection. A hacker could be monitoring conversations – listening for certain keywords that indicate financial info or clues to personal logins.
  • Bluetooth switching on by itself.  In 2017 researchers discovered a malware that infects smartphones using active Bluetooth connections. More than 5 billion devices were compromised.

Steps you can take

Be wary of random links

Emails, texts and instant messages from senders you don’t know could be a phishing scam.

Keep your OS up-to-date

The majority of OS updates have a security patch or fix relevant to the latest threats. When prompted by the phone manufacturer to install a new update, click yes or schedule the install as quickly as possible.

Update passwords

It’s best to have multiple passwords for multiple devices, or use a password manager like MyKi that encrypts passwords and adds a further level of protection with a master password that keeps your data safe, even if MyKi gets hacked.

Keep an eye on lesser-known apps

Mobile app stores are full of apps that act as a delivery mechanism for spyware or virus infection. If an app regularly pushes out unexpected and intrusive pop ups or asks for personal information, your best bet is to delete it.

Desktop or mobile, the biggest risk factors in cyber security are human. We all need to be empowered with an awareness of the risks that come with mobile, and switched on to the signs of infection or breach.

If you have a BYOD policy in place at work, it should be well understood that when mobile devices are used away from the office – particularly on public wifi connections – the threat of infection tends to increase.

Want to learn more about empowering your employees with mobile security awareness training?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: