Original URL: https://www.theregister.com/2010/02/23/smartphone_rootkits_demoed/
iPad and smartphone rootkits demo'd by boffins
Cracking into the ultimate spy device - in your pocket
Posted in Networks, 23rd February 2010 12:53 GMT
Computing boffins say they have demonstrated rootkits which can be used to turn your smartphone or "upcoming tablet computer" into a remotely-activated bugging or tracking system.
“Smart phones are essentially becoming regular computers,” says Vinod Ganapathy, computing prof at Rutgers uni in New Jersey. “They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by malware.”
Ganapathy and his colleagues developed various rootkits for demonstration purposes, choosing that class of malware because - they say - virtual machine monitors necessary to detect rootkits can't yet be run on portable devices.
According to the boffins:
Rootkit attacks on smart phones or upcoming tablet computers could be more devastating because smart phone owners tend to carry their phones with them all the time. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directories, or just pinpoint a user’s whereabouts by querying the phone’s Global Positioning System (GPS) receiver. Smart phones also have new ways for malware to enter the system, such as through a Bluetooth radio channel or via text message.
“What we’re doing today is raising a warning flag,” said Ganapathy's fellow-prof Liviu Iftode. “We’re showing that people with general computer proficiency can create rootkit malware for smart phones. The next step is to work on defenses.”
The researchers demonstrated means whereby a badhat could send an invisible text message to an undetectably-rootkitted phone, causing it to place a call out - for instance during a meeting - and so allow the malware operator to listen in to conversations around it. Likewise it was possible to query the phone's GPS so as to locate or track its owner.
It was also possible to remotely switch on multiple power-hog capabilities of the phone - for instance WiFi, GPS and Bluetooth all at once - and so drain its battery without the owner noticing.
For some owners, a hacked phone = death, by hit squad or laser guided missile
Capabilities of this sort have long been supposed to exist and to be in use by police, intelligence agencies and perhaps other organisations. Many security pros advise clients to remove batteries or leave phones outside for important meetings, and even before the widespread advent of GPS it was often possible to locate a phone fairly accurately by asking it which mobile masts it had in range and analysing the timing of signals from them. Where access to the phone can be gained, there are even commercial spyware packages to be had - though not many thus far based on rootkits.
In general, mobile experts hold that such malware must be inserted into a phone by gaining physical access to it, or perhaps by traditional victim-operated means such as email attachments, bluetooth transfers etc. Remotely inserting malware via a mobile voice or data link without cooperation by the phone user is said by most experts to be impossible, and certainly Ganapathy, Iftode and their crew demonstrated no such capability.
There have been hints, however, that at least one US intelligence outfit - specifically the shadowy military group known variously as the US Army Intelligence Support Activity, the "Army of Northern Virginia", "Gray Fox", "Centra Spike", "Task Force Orange" etc etc - may be able to do at least some things to a phone without any Bluetooth, physical access etc.
Some accounts suggest that Activity knob-turners in light aircraft were able to cause apparently switched-off phones to turn on without their users' knowledge as long ago as the secret war against Pablo Escobar, back around 1990. More recently it has been reported that Qa’ed Sunyan al-Harethi, an al-Qaeda bigwig who had the dubious distinction of being the first man to be assassinated by a Predator robo-plane, was fingered for the Hellfire missile strike which killed him by Activity analysts who "remotely programmed" his phone "to switch itself on".
Whether or not smartphones can be attacked remotely through their mobile-network link now, there can't be much doubt that the day is coming - and as the Rutgers researchers (and the soldier-spooks of the Activity) have shown, malware in a device you carry with you switched on all the time can be even more damaging than when it's in a normal computer. ®