phone hacking

How could voicemail insecurity affect your Facebook, Google or Yahoo! account?

May 20, 2014October 25, 2018mobilephonesecurity936843331Leave a comment

It is nearly three years since the News of the World voicemail hacking scandal erupted (a case that’s in court right now). The blog and article I wrote at the time are still the most popular posts I’ve written. I was involved in drafting a set of guidelines for network operators which was published very soon after.

I was therefore quite surprised when a friend sent me the following link which explains how web application security researcher Shubham Shah managed to use voicemail vulnerabilities within network operators to exploit two-factor authentication (2FA) for some pretty major services (e.g. Google, Yahoo!, LinkedIn and so on). The way that 2FA is setup sometimes is that it will call your mobile number. Obviously an automated system isn’t usually setup to determine if you actually answered the call, so the code can go through to voicemail. And that’s how the attack goal is achieved. If the attacker can get into your voicemail account via a vulnerability in procedures or via CLI (Calling Line Identity) spoofing (i.e. faking your phone number), then they can get access to the rest of your life. Sounds simple and it is.

New stuff and a shop…

August 4, 2011October 25, 2018mobilephonesecurity936843331Leave a comment

So I’ve made a few changes this evening on the blog. You’ll notice a few links above which you can peruse (and there are more to come) and of course, as promised I’m selling the “it’s not f**king phone hacking” t-shirts through the official mobilephonesecurity.org shop. There’ll be more in there soon, but why not treat yourself to a default PIN #hackgate mug? It’s as easy as 1,2,3… (actually I won’t go there).

Blackhat & DEFCON19 – mobile presentations

August 2, 2011October 25, 2018mobilephonesecurity936843331Leave a comment

With the main sessions of Blackhat starting tomorrow morning (Las Vegas time), I’ve posted the mobile-related talks here for those who are interested.

The mobile hacking training course which took place today (I think) was sold out. What has interested me the most is the increase in interest from the security and hacking community in all types of mobile platforms. As you’ll see below, there are really quite a few presentations focussed on mobile. Also, as smartphones become more advanced, a lot of the other presentations not listed here become relevant (for example web application security). I just want to highlight two of the presentations: ‘Aerial Cyber Apocalypse’ which will demonstrate a UAV equipped with WiFi and GSM hacking capabilities (see the picture below) and ‘War Texting: Identifying and Interacting with Devices on the Telephone Network’ which shows attacks on car systems which use SMS to remote control the car. Fun in the sun.

From: http://www.geek.com/articles/geek-pick/wasp-the-linux-powered-flying-spy-drone-that-cracks-wi-fi-gsm-netwokrs-20110729/

Blackhat USA 2011 (Briefings 3-4th August)
Schedule: https://www.blackhat.com/html/bh-us-11/bh-us-11-schedule.html

Don A. Bailey:
War Texting: Identifying and Interacting with Devices on the Telephone Network

Karsten Nohl + Chris Tarnovsky:
Reviving smart card analysis

Andrey Belenko
Overcoming IOS Data Protection to Re-enable iPhone Forensics

Ravi Borgaonkar + Nico Golde + Kevin Redon:
Femtocells: A poisonous needle in the operator’s hay stack

Dino Dai Zovi:
Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption

Richard Perkins + Mike Tassey:
Aerial Cyber Apocalypse: If we can do it… they can too.

Long Le + Thanh Nguyen:
ARM exploitation ROPmap

Jennifer Granick:
The Law of Mobile Privacy and Security

Riley Hassell + Shane Macaulay:
Hacking Androids for Profit

Tyler Shields + Anthony Lineberry + Charlie Miller + Chris Wysopal + Dino Dai Zovi + Ralf-Phillipp Weinmann + Nick Depetrillo + Don Bailey:
Owning Your Phone at Every Layer – A Mobile Security Panel

DEFCON19: (4th-7th August)
Schedule: https://www.defcon.org/html/defcon-19/dc-19-index.html

Abusing HTML5

Cellular Privacy: A Forensic Analysis of Android Network Traffic

Getting SSLizzard

This is REALLY not the droid you’re looking for…

Mobile App Moolah: Profit taking with Mobile Malware

Wireless Aerial Surveillance Platform

Seven Ways to Hang Yourself with Google Android

Staying Connected during a Revolution or Disaster

So, plenty to keep everyone going then! It’ll be interesting to see what the next few weeks bring.

Phone hacking t-shirt

July 26, 2011October 25, 2018mobilephonesecurity9368433312 Comments

I decided to get a t-shirt to answer the question that everyone asks me at the moment. If you like it, let me know. Also if you have any good ideas for “phone hacking” related t-shirt slogans, leave a comment!