Complex Made Simple

The very latest ways your phone can be hacked: Seriously?

Here are the latest, often bizarre ways, your phone and data are easy prey to hackers

SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode If an attacker knows your number and can get your verification code, they can hijack your account Hacker accessed an employee’s phone, by tricking the mobile phone operator into activating his phone number on another device

Your smartphone is smart up to a point, but you need to be smarter in order to avoid it being hacked.

And sometimes, no matter how smart you are, someone has built or is building a technology that will hack your phone no matter what you do. It’s the kind of tech that governments covet, and keep it covert. 

The best you can do now is to be aware, and vigilant, in the hopes that you lessen the likelihood of being hacked.

Here are the latest, often bizarre ways, your phone and data are easy prey to hackers.

Read: 3 Ways to Avoid Getting Phone Hacked

Shake, rattle and show

According to InterestingEngineering, your phone can be hacked even while sitting on the table, with new Vibration Attack.

The tech called ‘SurfingAttack’ uses vibrations to trigger your phone’s voice assistant, even when you’re not using it.

“SurfingAttack leverages the unique properties of acoustic transmission in solid materials to enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight, according to the new attack’s website

SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without owners’ knowledge.

The attack’s hardware consists mainly of a $5 piezoelectric transducer which can generate vibrations that fall outside the range of human hearing but that your phone’s voice assistant can pick up.

The hack is also constructed so that you won’t notice your voice assistant betraying you, with the volume on your phone also reduced. 

Read: New report surfaces claiming Saudi Arabia hacked Jeff Bezos’ phone

A WhatsApp hack

Forbes writes of a malicious WhatsApp hack that won’t go away, first covered back in January.

Despite sending its messages over any internet bearer, WhatsApp is still linked to your phone number, as it is your unique identifier.

When a user changes their phone or reinstalls the app, WhatsApp needs to verify that the new device is linked to the user’s phone number. This is done through a verification SMS with a six-digit code. Once the user taps in the right code, the new installation of WhatsApp is enabled and all messages sent to that user will come to that device.

“What was actually intended as a security strength is actually a surprise weakness,” writes Forbes. WhatsApp doesn’t check the phone number on the device itself, relying on that SMS. And so, if an attacker knows your number and can get your verification code, they can hijack your account and install your WhatsApp on their device, even though their device has a different phone number to your own.

Attackers that have already hijacked a friend’s WhatsApp or Facebook account would send victims a message along the lines of “my SMS isn’t working, WhatsApp need to send a code and can’t, so I’ve asked them to send it to you instead. Please forward it on.”

The code you then receive relates to your own account not your “friends,” and by forwarding that code, you are essentially providing an attacker everything they need to hijack your account.

You can avoid that. There is a different six-digit code buried in WhatsApp that you can set-up now with a number of your choice, one that won’t be known to WhatsApp or anyone else. 

“When you have this two-step verification enabled,” WhatsApp says, “any attempt to verify your phone number must be accompanied by the six-digit PIN that you created using this feature.” Simply put—the hack will NOT work.  

Read: Smartphone production to drop by 16.5% YoY in Q2 2020, setting historical record

Tricking mobile phone operators

Coindesk reported that BlockFi, a New York-based crypto lending platform, said an attacker got hold of users’ data by compromising an employee’s phone and taking control of the person’s phone number through a SIM swap attack that exposed certain client account information such as names, dates of birth, and activity histories. 

Image by: comparefibre.co.uk BlockFi said the hacker had accessed through an employee’s phone, by tricking the mobile phone operator into activating the employee’s phone number on another device, and thus the hacker was able to gain access.  

Hack-any-phone

According to Vice.com, a US surveillance company produced a tool called Phantom.

“Turn your target’s smartphone into an intelligence gold mine,” a brochure for the hacking product, called Phantom, reads.  

After remotely hacking the phone, Phantom can siphon a target’s emails, text messages, and contact list, as well track their location, turn on the device’s microphone and take photos with its camera, according to the brochure. 

The brochure adds that the system supported the iPhone and various other models of phones from manufacturers like Samsung.

Phantom can apparently “overcome encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world.” 

Hands are tied on this one.