MWR goes on TV to demonstrate ad-based flaws on mobiles

News by Tim Ring

MWR 'proves' ad flaws can be used to hijack mobile phones.

UK security firm MWR has hit back at industry claims that supposed advertising-based flaws on corporate mobile phones are difficult to exploit, by demonstrating how to hijack Android and Apple phones on Channel 4 TV using a ‘simple' man in the middle attack.

“We wanted to prove them wrong,” said MWR InfoSecurity senior security consultant Rob Miller.

In a report aired on Channel 4 last weekend, MWR showed that it could compromise both Apple and Android devices being used by a group of teenage students at the Sylvia Young Theatre School in London.

MWR exploited the fact that ad networks gather data from all the separate apps on a phone and send this data back unencrypted. Hackers can intercept the data via an MITM attack to access the different functions being managed by the apps and – in the cases of Android devices – break out even further to fully hijack the phone.

Rob Miller told “We were demonstrating these vulnerabilities and countering points that the advertising networks had made that ‘yes there are vulnerabilities but it would be incredibly hard and very unlikely for an attacker to actually carry it out'.

“What we wanted to do was to actually demonstrate - OK, this is the information going out, this is us detecting it through a simple man in the middle attack and it's then actually exploited.”

Miller said the attack works against Android and jailbroken iOS devices. In the demo, MWR went through the full attack path on an Android phone.

He explained: “The vulnerability on the Android platform itself meant the attacker could break out of the subset of functions and actually start executing any code they fancied.”

The functions that different ad networks – and therefore attackers – can access include collecting personal data, tracking the user's location via GPS, accessing photos, reading and deleting files, reading and sending emails and SMS messages, making phone calls, using the camera or microphone, and installing apps.

On TV, MWR was careful to “minimise” its attacks, demonstrating how it could view photos on the students' devices, but stopping short of opening them.

“We got to the point of finding the vulnerability through looking at the traffic going across the network from these adverts, and then detecting that there were these advertising bridges in there that they were using, exploiting it, proving that we could get access to the phone, listing the names of the photos on the SD card but going no further,” Miller said.

Despite the effective demo, MWR is not optimistic the ad networks will respond. It has alerted several networks where it found specific problems with their libraries, but Miller said: “In most cases they've been very positive but I still haven't seen cases where they've decided that encryption is the way to go.

“If they were to encrypt the traffic going back and forth from the adverts that would stop this entire attack. But for them I think it's a matter of cost, the overheads of implementing that is just too much for them.”

His advice for corporate security professionals is: “They should take this into account when considering whether to allow their employees to have and play games on a phone that's next to corporate data.

“You've got sensitive data on the same device as you've got these free games with adverts on them that are introducing new vulnerabilities into the phone.”

Commenting on MWR's work, cyber-security expert Amar Singh, CEO of the Cyber Management Alliance and chair of the UK ISACA Security Advisory Group, said the findings reflect badly on both the ad network suppliers, and the platform providers Google and Apple.

Singh told via email: “The providers of these ad networks must take greater responsibility to ensure that their processes and approach to privacy is robust and secure. The providers of the mobile platforms - Android and Apple - must ensure strict control over those who run these ad networks on their systems.”

In the meantime, Singh believes there is little hope for corporate security professionals that users will change their behaviour.

He said: “Ad networks have always been a problem and as the use of mobiles increases, the problem that was once confined to the traditional desktop or laptop computer is now rearing its head on our phones.

“It's unrealistic to expect getting rid of ad-supported apps - most of the free apps use ads as a source of revenue. Additionally, it's good advice that consumers must read and be aware of all the various ways an app ‘pokes around' - in theory yes, in practice this is impractical. People are going to play the game that the rest of their friends are playing, free or not.”

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews