RoundUp: A Decade of Smartphone Vulnerabilities
A roundup of the most dangerous smartphone vulnerabilities of the last 10 years
Mobile Phones have a mostly deserved reputation for being safer than desktop and laptop computers. Operating systems like iOS and Android benefit from built in features like segmentation and encryption. These offer vastly better security protections than the architectures underlying older versions of Windows. Software distribution through app stores is also a major step forward from the wild west of the Windows world.
However, it’s good to remember that it’s all relative. Mobile is less vulnerable than the traditional desktop world, but its vulnerable nonetheless. And, a roundup of the last decade quickly shows that these vulnerabilities are significant.
4,000 patched vulnerabilities – and counting
In the last decade Apple and Google have patched an extraordinary total of more than 4,000 vulnerabilities in iOS and Android. There has always been a general perception that Android is much less secure. However, the number of vulnerabilities is split 60/40 Android/iOS. And, a number of these vulnerabilities were fixed after cyber spies and cyber criminals had already exploited them.
Some of the most high profile incidents include:
Strandhogg (2019)
The latest major Android flaw was disclosed in November 2019. Hackers used this vulnerability to compromise banking apps by putting malware on various apps in Google Play. The vulnerability was discovered after cyber criminals drained several Czech customer bank accounts. Researchers confirmed that every version of Android was at risk.
Uighurs (2019)
Earlier this year, Google security researchers disclosed that they had identifed a long running hacking operation targeting the Uighurs, the Muslim minority community in the Chinese province of Xinjiang. The attack exploited vulnerabilities in iPhone security which allowed spyware to be remotely installed on users smartphones.
Once installed, the spyware could be used to track their locations and to gain access to sensitive information such as passwords. Users were tricked into clicking a link on a number of malicious websites which then installed spyware onto their phones. Google and Apple argued over details such as how long the spyware was on the devices and how many people were impacted.
Trident (2016)
A set of three iOS vulnerabilities collectively known as Trident was exploited in a hacking operation targeting civil rights activists in a number of regions. The vulnerability allowed hackers to install the notorious Pegasus spyware (developed by Israel cyber espionage company NSO) onto mobile devices without users knowing.
The hackers sent an SMS with a seemingly innocuous link that, when clicked, restarted the phone and installed the spyware without any visible warning to the end user. The spyware could then access every element of the phone including emails, passwords and apps including Facebook, WhatsApp and Viber.
StageFright (2015)
StageFright, although not an exploit, was a catastrophic Android vulnerability nonetheless. Before the patch was issued, it was reported that android devices had been vulnerable to attack for five whole years! Researchers found the flaw in the android media library.
Not just your operating system…
Some of the most notable vulnerabilities have arisen not in the operating system itself but in applications. While Android, due to its greater openness, has long had a problem with unsafe apps, Apple has also fallen foul of this menace over the decade. Two of the most notable examples were:
Pegasus/WhatsApp (2019)
Cyber criminals targeted WhatsApp earlier this year. The hackers managed to exploit a vulnerability in the audio call feature of the messaging service. Users did not even have to answer the call for spyware to infect the mobile device. WhatsApp reacted quickly and issued an update which disabled the spyware. To read our full blog post on this hack click here. Facebook are currently suing NSO the Israeli cyber espionage company whom they believe to be responsible for the attack.
XcodeGhost (2015)
XcodeGhost made headlines for Apple in 2015 when a number of apps in the App Store where found to contain malware. Xcode is the programming framework that Apple use to create their iOS apps, Mac OS and Safari extensions. An insecure version was distributed in China affecting approximately 3000 – 4000 devices. Third party libraries used by app developers for monetization and analytics have repeatedly been used by bad actors to infect otherwise benign apps with malware.
And then there’s the hardware vulnerabilities…
Smartphones contain an unprecedented array of hardware components including processors, communications chips, sensors and location trackers. And, in the last decade we’ve seen a host of vulnerabilities discovered in different parts of these complex machines:
BlueBorne (2017)
BlueBorne caused a major stir in the cyber security world when a Bluetooth vulnerability was discovered on smart devices. The vulnerability would allow hackers to disguise malware as a visible connectable Bluetooth device. Once they inserted malicious code onto the device, they could potentially listen to calls, read messages, put ransomware on device or use the device to spread the malware further.
The scariest part was victims did not even have to connect to the ‘unknown’ device, activate or authenticate anything for hackers to gain access. Also, reports suggest that the entire attack only took ten seconds to penetrate the phone.
Krack (2017)
Krack was an extremely serious Wi-Fi vulnerability. Hackers could steal any information passing over a Wi-Fi network such as passwords or credit card details. Experts told users to be wary of connecting to public Wi-Fi hotspots and to only browse websites with HTTPS encryption.
Spectre and Meltdown (2018)
Spectre and Meltdown were chip level vulnerabilities that allowed cyber criminals to hack into hardware of the device. From there, they had access to the phone’s memory which contains sensitive information such as passwords. Criminals were able to penetrate the device through malicious apps or an internet browser.
Bottom Line
As Lenin famously put it, “What is to be done?” His answer was of course the complete overthrow of the capitalist system. In contrast, we’d suggest some regular house-cleaning and precautions.
Housekeeping: keep your devices up to date with patches. Also, make sure you don’t have old unpatchable devices accessing your critical systems.
Precautions: put a mobile security solution in place that prevents cyber attackers accessing your devices. Equally, choose a solution that lets you know when a device has gone rogue.
And, now with your mind put at rest, enjoy the festive season and best wishes for a happy, safe and prosperous new year from the Corrata team!