Hacking Windows Mobile

iPhones aren't the only Internet-surfing phones that have gaping security weaknesses waiting to be exploited. In fact, all smartphones — that includes Windows Mobile, Symbian, and Blackberry devices — can be easily commandeered by malevolent nerds with a little bit of code and a dose of trickery. In the interest of fairness, we've gotten some security folks from Bluefire Security Technologies to show us what kind of mischief can be made on a regular Windows smartphone, just as we did with the iPhone in November. Or is mischief the wrong word? Perhaps "data and identify theft" are more accurate terms.

Check out the video below:

First things first: who are these guys?
Bluefire provides the tech behind Symantec's mobile security software, and also works with carriers and phone manufacturers to bake in better security to off-the-shelf phones. Of course, this means that they know more about the mobile OS than the average Russian teenager who writes viruses, but it's worth mentioning that the malware they've written for demonstration in the video is actually an exceedingly simple piece of software: only a few lines of code that require a paltry 1K of memory. That's why it's so easily injected into the phone; all it takes is one vague e-mail attachment or malicious website to spread the contagion to your beloved device, and it can embed itself in milliseconds. That's what I call Kelly Clarkson-level contagious — all it takes is a second of exposure, a few notes of "Since You've Been Gone," and you're hooked.

Unlike Kelly Clarkson, however, this simple piece of code can take control of your mobile phone for whatever ends its designers like. (Kelly, by contrast, can merely take control of your heart. But I digress.) The first trick seems harmless enough: changing your preferred homepage. But as Mark Komisky, Bluefire's CEO, notes in the video, forcing your browser to hit a certain malicious site has tremendous potential, especially for hackers intending to impersonate your carrier and ask you for personal information. Same goes for the error message he has the virus generate on the sample phone — another opportunity for carrier impersonation.

While it's not comforting to think about your vitals being purloined — account numbers, addresses, phone and internet contact information — it's perhaps even more unnerving that this bit of malware (and code like it) can spy on your communications, manipulate them, and steal your documents. I'll avoid summarizing every hacking movie ever made, and choose not to enumerate the perverse amount of control this can surrender to a malicious coder. You know and I know: it would be bad. Really bad.

So what is a smartphone owner to do? I have an iPhone and a Blackberry; is someone going to commandeer them both, steal my bank information, dump my girlfriend via text message, and steal my top secret files? Probably not; a comparative few of all cell phones are smart ones, meaning that it's not yet worth most hackers' time to target them. However, it's probably smart to set definitive rules for your phone usage, and delineate what needs to be done via mobile device and what can (and should) be left to the computer. Online banking is one of those tasks; rarely should you find yourself in a position where you must login via phone, when you can just as easily call.

As with all things bad, it's easiest to avoid them if you know how they work, and can identify when you might be getting bamboozled. Keep your vital information close to the vest, monitor your cell statements for unusual data or voice activity, and watch our video again. You'll be glad you did.

Add New Comment