How and why I allowed my smartphone to be hacked

Opinion by Dan Raywood

This week I allowed a hacker to infiltrate my smartphone purely in the interests of journalism.

This week I allowed a hacker to infiltrate my smartphone purely in the interests of journalism.

I will admit that my attacker did so with my permission, as he was arguably counting on this coverage. However what it did lead me to realise was that hacking devices is in fact very easy and affordable to do.

The hacker in this case was Jason Hart, who recently participated in an experiment to see how many WiFi connections were unsecured and how many users would connect to a free network without consideration of what it was or how their details would be harvested.

In his day job, Hart is CEO of two-factor authentication specialist CRYPTOCard but in our recent meeting he demonstrated just how easy it is to hack computers and mobile devices in a public place. With a remote device costing around £40 and free software, Hart encouraged me to connect to it using my iPhone.

From here he asked me to access a web page, naturally I chose SC Magazine via the Safari browser. The software then recorded my activity as I selected story links randomly and as I then accessed apps my passwords were recorded as I logged in.

For most white hats and researchers I am aware that this is hardly revelatory, but what was concerning is that in this case Hart had named the device ‘hack test', but he told me that for the experiment it was renamed ‘BT Openzone' which Apple iPhones automatically connect to.

Talking about the experiment, Hart said: “We had public hotspots in six cities and people connected, unaware of the risks. All it takes is a rogue wireless network with a trusted name and people connect in.”

Asked if it can collect sensitive data, he said that the setup allows the IP address to be seen and a hacker can use this to capture sensitive data. He later said that the process of hacking has now covered three stages: servers, browsers and now passwords, as ‘you are invincible with someone's password'.

“The new way is with a username and password, you can all be breached and if you do not solve it, fundamentally everything is flawed,” he said.

He said that on underground forums, more money is paid for usernames and passwords than for credit card details as more sensitive information can be gained.

What was demonstrated was certainly revealing, but at the same time it was also rather terrifying that with an ounce of knowledge of how to set up a sniffer and with a free software download your online activity and credentials can be intercepted and recorded.

As Hart said to me, everything is generally protected by one password; be it a hotmail account, PayPal account or private cloud.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events