You don’t have to look far to see how many ways criminals can exploit mobile devices for nefarious purposes. From simple phishing scams to creating fake Wi-Fi networks, the methods in which data can be stolen from smartphones seem endless.
In research to be published in the journal Computers & Security in February, colleagues at the University of South Australia and I showed it’s even possible to pick up data from Android devices by “listening” to sounds humans can’t hear.
Look around you. You probably have at least one smartphone with you most of the time, and these devices can see and hear things around you, as well as pinpoint your location.
Recently colleagues and I surveyed 250 staff and students from the University of South Australia. Unfortunately, but not surprisingly, we found that our survey respondents generally underestimated and did not understand the security and privacy risks associated with the use of mobile devices and apps.
In another recent study, my PhD student Christian D’Orazio and I examined the Apple iOS and systematically analysed mobile devices and apps for vulnerabilities.
By looking into various Apple devices and a range of popular apps (including a government healthcare app), we uncovered previously unknown vulnerabilities (such as software bugs) that could be exploited to expose user-sensitive data stored on or transmitted from the affected devices.
In our Computers & Security paper mentioned above, Quang Do, Ben Martini and I designed a technique which could allow an attacker to covertly exfiltrate data from Android devices via communication methods such as SMS and audio.
If you want to get technical, we injected exfiltration code into the default keyboard on an Android Nexus 4. This produced coded sounds (inaudible to humans) based on key presses, which were picked up by a microphone on an external device and decoded.
We chose the default keyboard on the Nexus 4 because it handled all data input, including usernames and passwords. Another advantage was that it was always running, so the services it instantiated were always running as well.
So how can Google prevent this happening to Nexus 4 users? Something that would work for most apps on the market is to limit the frequencies in which an app may produce sound, and request permission from the user when an app wants to produce inaudible sounds.
Another step in the digital arms war
As the use of mobile devices and apps grows throughout society in general, so does their use by criminals.
This is particularly evident in areas of sophisticated and organised crime where ongoing secure communication is critical for the operation of the criminal syndicate.
During investigations of crimes involving mobile devices, there is usually some accumulation or retention of data on a mobile device that will need to be identified, preserved, analysed and presented in a court of law – a process known as digital forensics.
Existing forensic techniques are designed to collect evidential data from typical mobile device users, such as where advanced security features and anti-forensic techniques are rarely exploited to their full extent.
Our research could provide another weapon in this arsenal for crime investigators.
So while serious and organised criminals often make use of devices specifically designed to evade legal interception and forensic collection attempts, such as the Android-based Blackphone and the well-known BlackBerry, we should not blame technological advances for any increase in cybercriminal exploitation.
Rather, we should learn their tricks to use against them.