You are here

How Hackers Are Attacking Mobile Devices

Written by: Michael J. Unsworth, CISA
In last month’s Banking Technology Connections, we shared some of what we learned at DEF CON 24 - one of the largest hacker conventions in the world. Another major theme from our trip to DEF CON this summer involved mobile devices. Specifically, people are using mobile phones in place of everything from computers and GPS devices, to their credit cards. The more dependent we become on these devices, the more valuable they are as targets for hackers.

We saw numerous presentations at DEF CON that demonstrated ways to attack cell phone transmissions, operating systems - both Android and iOS - and payment apps. Many of these attacks would never be noticed without specialized equipment. For example, International Mobile Subscriber Identity (IMSI) catchers work seamlessly to intercept signals. These devices imitate cell towers and trick cell phones into connecting to them, which allows attackers to eavesdrop on all calls and access messages and browsing done by the cell phone user. In addition, we saw attacks demonstrated on Android and iOS devices that showed how to bypass mitigating controls that were put in place to protect the devices against malware. These attacks allowed the malware to gain elevated privileges so that attackers could gain full control over the device.

One of the greatest areas of recent, mobile development is the use of mobile phones for payments, and Android, iOS and Samsung along with many other major retailers have jumped onto the mobile payment bandwagon. In another DEF CON presentation, the presenter demonstrated a weakness in the Samsung Pay app and the unique token assignment it does for each payment. The weakness was that the method of generating the token allowed for future tokens to be predicted, which could possibly allow an attacker to forge tokens and make unauthorized purchases.

People rely heavily on their cell phones and often use them with an immense amount of blind trust. This is risky because attacks on mobile devices will continue to happen as long as the devices continue to store valuable, sensitive data. To reduce the risk of data or financial loss via your phone, you can do a few things. Ensure your phone is up-to-date with security updates and replace it when the manufacturer stops releasing security patches. Also, make sure your sensitive data is kept encrypted whenever possible.

For more information on this topic, contact Michael J. Unsworth, CISA, IT Assurance Senior Consultant, at 617-933-3372 or