Can cell phones be hacked? Security experts say yes, but it’s neither easy nor widespread.
A Tacoma, Wash., family claims the cell phones it uses have been taken over by hackers, who are turning them on at will, capturing conversations and manipulating the cell phone camera.
The story of the Kuykendall family, as reported in the Tacoma News Tribune last week, seems an unlikely one. They believe their cell phones, as well as those owned by other families, have been taken over and the cell-phones' cameras mysteriously turn on and off. While the mystery of the Kuykendall family’s cell-phone experience hasn't been fully explained, people are wondering whether such an event is even possible. Security experts say yes — but it's still in the realm of the unlikely.
Security experts from IBM, McAfee and Symantec agree that virtually any type of cell phone can be broken into and maliciously controlled, though that takes a high degree of sophistication.
“It’s definitely possible, but still something that is limited to a very sophisticated attacker,” says Neel Mehta, team lead in the advanced research group at IBM’s Internet Security Systems Division.
Mehta says malicious code to take over the phone could be sent to the intended victim in the guise of a picture or audio clip. Once the victim clicked on it, the malware would be installed. Many in the industry refer to this as “snoopware.”
A cell-phone hijacking that enables the attacker to manipulate the microphone and camera remains “a very rare occurrence in the field,” says Paul Miller, managing director of mobile security at Symantec.
However, Miller notes that J2EE-styled malware is known to exist, for example, the “Red Browser” for sending Short Message Service messages, which is believed to have originated in Russia. Such malware typically has been used to defraud the victim, particularly in Europe. The number of viruses targeting smart phones and feature-based cell phones remains low, in the mobile realm, roughly one for every 500 viruses targeting PCs, he adds.
There are "spouse-monitoring tools” that can be obtained on the Internet to snoop on phone use, and some pure hacker varieties of this are starting to appear as well, Miller adds.
McAfee agrees that hijacking of cell phones -- whether feature-added voice phones with cameras or the newer breed of computer-based smart phones -- can happen, but appears to be a rare occurrence.
“People aren’t expecting any trouble with mobile phones and in general, it’s been a safe tool,” says Jan Volzke, senior manager in mobile security at McAfee. But having your cell phone hacked “is possible, though unlikely.”
The ways this might be done would depend on someone gaining physical access to the cell phone and deliberately tampering with it, or possibly tricking the cell phone user into downloading malicious software through Bluetooth infrared or by other means, Volzke says.
Once installed, that Trojan, acting like a small application, would let the attacker remotely control the phone and its features, such as cameras and microphones.
This kind of attack remains highly unusual, Volzke adds, and probably would target the individual using the cell phone rather than an entire cell-phone population base.
The Kuykendall family's situation couldn't occur on a Code Division Multiple Access wireless network, says Jeffrey Nelson, executive director for corporate communications at Verizon Wireless, based in Basking Ridge, N.J. "As any responsible wireless service provider should, we're investigating to best understand what may have happened in this particular situation, and whether it's even theoretically possible. At this point, we don't believe our customers are in any way vulnerable to the kind of remote hacking you describe," he says.
Verizon declined to provide a technical expert to discuss the matter.
Network World Senior Editor John Cox contributed to this story.